bpo-38976: Add support for HTTP Only flag in MozillaCookieJar #17471
Conversation
|
For more information:
|
There was a problem hiding this comment.
Thank you for your contribution, @jacobneiltaylor
I only had two brief comments. Please see if you like to address them.
I also wonder why a very old issue got resurfaced again? Is there a practical change in the curl and other clients that we missed noticing? (ref: https://bugs.python.org/msg300920)
Lib/http/cookiejar.py
Outdated
| @@ -2004,6 +2004,7 @@ class MozillaCookieJar(FileCookieJar): | |||
| header by default (Mozilla can cope with that). | |||
|
|
|||
| """ | |||
| httponly_prefix = "#HttpOnly_" | |||
There was a problem hiding this comment.
We haven't visited this module often. Do you think, we could move this class attributes to a __init__ method - The new httponly_prefix as well as the previous magic_re and header.
There was a problem hiding this comment.
Just to clarify, you are asking for the class variables to be removed and the values moved into the constructor as literals?
There was a problem hiding this comment.
Do you think, we could move this class attributes to a
__init__method - The new httponly_prefix as well as the previous magic_re and header.
Hi Jacob,
My original thinking was - we add a __init__ method and we move those variables to the __init__ method, then our usage with self.attr_name becomes consistent with instance variable usages.
Move them to module-level headers is fine too.
I notice that moving.compile` to the module header will add a slight performance to the module which was not present. I am fine with it, but I will try to measure the performance of the test suite, before and after to ensure there is no drastic difference with the change.
Lib/http/cookiejar.py
Outdated
| if line == "": break | ||
|
|
||
| # detect httponly flag if present |
There was a problem hiding this comment.
Will a comment or a reference to an RFC help to explain why we are doing this?
|
Thanks for the feedback @orsenthil - I'll work on those code changes. With regard to the "why", I can share some limited details on the specific use case that prompted this contribution. An in-house SSO system I work with allows users to periodically vend libcurl-compatible cookiejar files. These files are explicitly for use with console scripts that interface with internal web APIs, usually for purposes of testing, experimentation and automation. They currently work with cURL-based BASH scripts, however there is increased interest in using them with more sophisticated Python-based automation. The cookiejar files are generated with the |
…ython into mozcookiejar-httponly
this is |
|
Thanks Senthil, that is now fixed by the looks of things. With regard to the changes made, I opted to move all the class variables to module constants instead of literals. This was because they were either relatively complex declarations (multiline strings/compiled regex objects) or were referenced in multiple locations. Additionally it is important to note that while HTTPOnly is a standard attribute in RFC6265, these modules are designed to model the cookies as defined in RFC2965. As such, I still believe the nonstandard attributes dictionary is the correct location to persist this information. |
| if line == "": break | ||
|
|
||
| # httponly is a cookie flag as defined in rfc6265 | ||
| # when encoded in a netscape cookie file, | ||
| # the line is prepended with "#HttpOnly_" |
There was a problem hiding this comment.
Verified this information here - https://curl.haxx.se/libcurl/c/CURLOPT_COOKIELIST.html
|
@orsenthil: Please replace |
…#17471) Add support for HTTP Only flag in MozillaCookieJar Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
| @@ -50,10 +50,18 @@ def _debug(*args): | |||
| logger = logging.getLogger("http.cookiejar") | |||
| return logger.debug(*args) | |||
|
|
|||
|
|
|||
| HTTPONLY_ATTR = "HTTPOnly" | |||
There was a problem hiding this comment.
This implementation is similar to my alternative approach in #22798 (and see bpo-2190), except:
- This version:
- Check if a cookie is "HTTP-only" with
cookie.has_nonstandard_attr(http.cookiejar.HTTPONLY_ATTR)) - Set a cookie as "HTTP-only" with
cookie.set_nonstandard_attr("HTTPOnly", "")
- Check if a cookie is "HTTP-only" with
- My version:
- Check with
cookie.httponly. - Set with
cookie.httponly = True
- Check with
This PR adds support for the HttpOnly flag as encoded in CURL cookiejars.
This PR was mainly designed to allow the MozillaCookieJar to parse in the cookies, as previously they were considered comments and ignored.
As HttpOnly is considered a non-standard attribute, the nonstandard attribute dict was considered the most appropriate place to persist this information.
https://bugs.python.org/issue38976