cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] HttpOnly

From: Daniel Stenberg <>
Date: Tue, 22 Jan 2008 13:03:22 +0100 (CET)

On Tue, 22 Jan 2008, Niklas Angebrand wrote:

> Some cookies are trailed with the keyword 'httponly' and Firefox obeys this
> when it stores the cookie in its cookie jar (<profile_path>/cookie.txt). I
> patched the CVS version to not ignore these cookies.

Whoa, what an amazingly intrusive way to solve that problem... Oh well, no
point to complain.

I would also like to see the code also remember that the cookie _is_ httponly
like this so that it can save it again like that when it writes a cookiejar,
as otherwise libcurl will effectively "clean" the cookie from this info and
thus defaut the purpose of that weirdness!

> I have not looked into whether curl correctly parses incoming Set-Cookie:
> headers with the httponly attribute.

It'll silently ignore it, but that isn't fine either if we're going to start
supporting this imho.

Can you please fix these issues as well while you're at it? I could volunteer
to write up a test case or two for this.

Also note that I'll consider this patch to go in after the 7.18.0 release
(planned release date this weekend) to not risk anything at this point.

  Commercial curl and libcurl Technical Support:
Received on 2008-01-22