cURL / Mailing Lists / curl-library / Single Mail


[PATCH] HttpOnly

From: Niklas Angebrand <>
Date: Tue, 22 Jan 2008 02:22:38 +0100


Some cookies are trailed with the keyword 'httponly' and Firefox obeys this
when it stores the cookie in its cookie jar (<profile_path>/cookie.txt). I
patched the CVS version to not ignore these cookies.

The patch was tested by trying to log in to using Firefox's
cookie jar (and the "remember me" option set), through the WWW::Curl::Easy
interface for perl.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20071204
Ubuntu/7.10 (gutsy) Firefox/

Note that I have not looked into whether curl correctly parses incoming
Set-Cookie: headers with the httponly attribute.

Mitigating Cross-site Scripting With HTTP-only Cookies

Niklas Angebrand

Received on 2008-01-22