From cf934b9c5d214e0853feef2d8ba42582eb5af5be Mon Sep 17 00:00:00 2001 From: Alain Schneble Date: Sat, 22 Oct 2016 15:43:11 +0200 Subject: [PATCH] Eliminate phantom HttpOnly cookie (Bug#24757) * lisp/url/url-cookie.el (url-cookie-handle-set-cookie): Remove HttpOnly attribute from the list of cookie name-value-pairs if it's present in a Set-Cookie header value. --- lisp/url/url-cookie.el | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lisp/url/url-cookie.el b/lisp/url/url-cookie.el index 6848230..e22bc40 100644 --- a/lisp/url/url-cookie.el +++ b/lisp/url/url-cookie.el @@ -245,6 +245,12 @@ url-cookie-handle-set-cookie (let* ((args (url-parse-args str t)) (case-fold-search t) (secure (and (assoc-string "secure" args t) t)) + ;; HttpOnly attribute was introduced in RFC6265. Treat it as + ;; a cookie name if it appears on the left hand side of a + ;; cookie name-value-pair (i.e. HttpCookie=). Only + ;; treat it as HttpOnly flag if it stands alone. + (httponly-attribute (assoc-string "httponly" args t)) + (httponly (and httponly-attribute (not (cdr httponly-attribute)))) (domain (or (cdr-safe (assoc-string "domain" args t)) (url-host url-current-object))) (current-url (url-view-url t)) @@ -257,7 +263,9 @@ url-cookie-handle-set-cookie (rest nil)) (dolist (this args) (or (member (downcase (car this)) '("secure" "domain" "expires" "path")) - (setq rest (cons this rest)))) + ;; Accounts for the special case where HttpOnly is used as cookie name. + (and (equal (downcase (car this)) "httponly") httponly) + (setq rest (cons this rest)))) ;; Sometimes we get dates that the timezone package cannot handle very ;; gracefully - take care of this here, instead of in url-cookie-expired-p -- 2.9.1