On Wed, Mar 17, 2010 at 3:42 PM, Yuchen Zhou <pinkforpe...@gmail.com> wrote: > Hi, > > I'm a security researcher at the University of Virginia I have been > looking into the use and adoption of http-only cookies. My advisor is > professor David Evans. > > We were surprised to discover that Django does not explicitly supports > httponly cookie field. I have searched for some solution but they all > require patching to python or Django. I think if the client side JS > does not need to access cookie value, which is true at least for > authentication tokens, we should set that cookie httponly in order to > prevent cookie stealing against cross-site scripting attacks. > > Is there any other good reason that django is not supporting this > feature? Are we missing something here? > > Thank you very much. > > Best, > > --Yuchen > yz...@virginia.edu > Graduate student at Computer Science Dept. > University of Virginia >
See http://code.djangoproject.com/ticket/3304 Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
