tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ulrich Stärk (JIRA) <j...@apache.org>
Subject [jira] [Commented] (TAP5-2327) The Cookies interface should provide an option to mark cookies as httpOnly
Date Thu, 01 May 2014 16:49:17 GMT

    [ https://issues.apache.org/jira/browse/TAP5-2327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13986756#comment-13986756
] 

Ulrich Stärk commented on TAP5-2327:
------------------------------------

That would mean a dependency on a Servlet 3.0 compatible container. Tapestry 5.3 is Java 5
compatible and therefore requires the dependency to stay at Servlet 2.5. We are discussing
to bump the Java compatibility to Java 8 though so 5.4 might see Servlet 3.1 and this feature.

Uli

> The Cookies interface should provide an option to mark cookies as httpOnly
> --------------------------------------------------------------------------
>
>                 Key: TAP5-2327
>                 URL: https://issues.apache.org/jira/browse/TAP5-2327
>             Project: Tapestry 5
>          Issue Type: New Feature
>          Components: tapestry-core
>    Affects Versions: 5.3.7
>            Reporter: Martin Schneider
>              Labels: security
>
> Since Servlet 3.0 there is an option to mark cookies as httpOnly via javax.servlet.http.Cookie.setHttpOnly(boolean).
There should be an option to use that in org.apache.tapestry5.services.Cookies. In 5.3.7 the
default implementation does not set the httpOnly flag.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message