From a964be6bd96583f8735fd297856f1c9845850f6a Mon Sep 17 00:00:00 2001
From: Dylan Simon <dylan@dylex.net>
Date: Wed, 14 Sep 2011 17:30:42 -0400
Subject: preserve HttpOnly flag on cookies to prevent XSS attacks

---
 src/cookie-jar.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/cookie-jar.c')

diff --git a/src/cookie-jar.c b/src/cookie-jar.c
index dd9585b..2f6be83 100644
--- a/src/cookie-jar.c
+++ b/src/cookie-jar.c
@@ -40,7 +40,9 @@ changed(SoupCookieJar *jar, SoupCookie *old_cookie, SoupCookie *new_cookie) {
      * command because otherwise a loop would occur when a cookie change is
      * propagated to other uzbl instances using add/delete_cookie. */
     if(!uzbl_jar->in_manual_add) {
-        gchar *scheme = cookie->secure ? "https" : "http";
+        gchar *scheme = cookie->secure
+		? cookie->http_only ? "httpsOnly" : "https"
+		: cookie->http_only ? "httpOnly"  : "http";
 
         gchar *expires = NULL;
         if(cookie->expires)
-- 
cgit v1.2.3