bpo-2190: make MozillaCookieJar handle HTTP-only cookies

Doc/library/http.cookiejar.rst

@@ -140,6 +140,9 @@ The following classes are provided:
 
    :rfc:`2964` - Use of HTTP State Management
 
+   https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+      Describes the purpose of the ``HttpOnly`` attribute.
+
 .. _cookie-jar-objects:
 
 CookieJar and FileCookieJar Objects
@@ -705,6 +708,13 @@ internal consistency, so you should know what you're doing if you do that.
    ``True`` if the domain explicitly specified by the server began with a dot
    (``'.'``).
 
+.. attribute:: Cookie.httponly
+
+   ``True`` if cookie should only be accessible to the web server, and not to
+   client-side scripts running in a web browser.
+
+   .. versionadded:: 3.10
+
 Cookies may have additional non-standard cookie-attributes.  These may be
 accessed using the following methods:
 

Lib/http/cookiejar.py

@@ -762,6 +762,7 @@ def __init__(self, version, name, value,
                  comment_url,
                  rest,
                  rfc2109=False,
+                 httponly=False,
                  ):
 
         if version is not None: version = int(version)
@@ -790,6 +791,7 @@ def __init__(self, version, name, value,
         self.comment = comment
         self.comment_url = comment_url
         self.rfc2109 = rfc2109
+        self.httponly = httponly
 
         self._rest = copy.copy(rest)
 
@@ -828,6 +830,7 @@ def __repr__(self):
             args.append("%s=%s" % (name, repr(attr)))
         args.append("rest=%s" % repr(self._rest))
         args.append("rfc2109=%s" % repr(self.rfc2109))
+        args.append("httponly=%s" % repr(self.httponly))
         return "%s(%s)" % (self.__class__.__name__, ", ".join(args))
 
 
@@ -1398,7 +1401,7 @@ def _normalized_cookie_tuples(self, attrs_set):
         """
         cookie_tuples = []
 
-        boolean_attrs = "discard", "secure"
+        boolean_attrs = "discard", "secure", "httponly"
         value_attrs = ("version",
                        "expires", "max-age",
                        "domain", "path", "port",
@@ -1498,6 +1501,7 @@ def _cookie_from_cookie_tuple(self, tup, request):
             except ValueError:
                 return None  # invalid version, ignore cookie
         secure = standard.get("secure", False)
+        httponly = standard.get("httponly", False)
         # (discard is also set if expires is Absent)
         discard = standard.get("discard", False)
         comment = standard.get("comment", None)
@@ -1570,7 +1574,8 @@ def _cookie_from_cookie_tuple(self, tup, request):
                       discard,
                       comment,
                       comment_url,
-                      rest)
+                      rest,
+                      httponly=httponly)
 
     def _cookies_from_attrs_set(self, attrs_set, request):
         cookie_tuples = self._normalized_cookie_tuples(attrs_set)
@@ -2029,10 +2034,19 @@ def _really_load(self, f, filename, ignore_discard, ignore_expires):
                 # last field may be absent, so keep any trailing tab
                 if line.endswith("\n"): line = line[:-1]
 
+                # support HTTP-only cookies (as stored by curl or old Firefox).
+                # per prior comment, we need to take care NOT to strip trailing
+                # whitespace
+                sline = line.lstrip()
+                if sline.startswith("#HttpOnly_"):
+                    httponly = True
+                    line = sline[10:]
                 # skip comments and blank lines XXX what is $ for?
-                if (line.strip().startswith(("#", "$")) or
-                    line.strip() == ""):
+                elif (sline.startswith(("#", "$")) or
+                      line.strip() == ""):
                     continue
+                else:
+                    httponly = False
 
                 domain, domain_specified, path, secure, expires, name, value = \
                         line.split("\t")
@@ -2063,7 +2077,8 @@ def _really_load(self, f, filename, ignore_discard, ignore_expires):
                            discard,
                            None,
                            None,
-                           {})
+                           {},
+                           httponly=httponly)
                 if not ignore_discard and c.discard:
                     continue
                 if not ignore_expires and c.is_expired(now):
@@ -2107,7 +2122,11 @@ def save(self, filename=None, ignore_discard=False, ignore_expires=False):
                 else:
                     name = cookie.name
                     value = cookie.value
+                if cookie.httponly:
+                    domain = '#HttpOnly_' + cookie.domain
+                else:
+                    domain = cookie.domain
                 f.write(
-                    "\t".join([cookie.domain, initial_dot, cookie.path,
+                    "\t".join([domain, initial_dot, cookie.path,
                                secure, expires, name, value])+
                     "\n")

Lib/test/test_http_cookiejar.py

@@ -1771,7 +1771,8 @@ def test_mozilla(self):
         interact_netscape(c, "http://www.foo.com/",
                           "foob=bar; Domain=.foo.com; %s" % expires)
         interact_netscape(c, "http://www.foo.com/",
-                          "fooc=bar; Domain=www.foo.com; %s" % expires)
+                          "fooc=bar; Domain=www.foo.com; Secure; HttpOnly; %s"
+                          % expires)
 
         def save_and_restore(cj, ignore_discard):
             try:
@@ -1788,6 +1789,10 @@ def save_and_restore(cj, ignore_discard):
         self.assertEqual(len(new_c), 6)  # none discarded
         self.assertIn("name='foo1', value='bar'", repr(new_c))
 
+        # verify that HttpOnly cookie is preserved, with that flag set on it
+        self.assertIn("name='fooc', value='bar'", repr(new_c))
+        self.assertIn("httponly", repr(new_c))
+
         new_c = save_and_restore(c, False)
         self.assertEqual(len(new_c), 4)  # 2 of them discarded on save
         self.assertIn("name='foo1', value='bar'", repr(new_c))

Misc/NEWS.d/next/Library/2020-10-20-00-34-00.bpo-2190.WNIr6.rst

@@ -0,0 +1,4 @@
+:class:`http.cookiejar.MozillaCookieJar` will now correctly load and
+save cookies marked `HTTP-only
+<https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies>`_.  Patch by
+Daniel Lenski.