HttpOnly prefix appending feature of MozillaCookieJar almost never works

[kairi003]

Bug report

Bug description:

Firstly, I apologize if I make any incorrect assertions, as I am not an expert in the HTTP protocol.

MozillaCookieJar recognizes and writes the #HttpOnly_ prefix, based on curl's specifications.
But it is rare for cookies obtained via HTTP to be written with the HttpOnly prefix.

This functionality was added in Issue #17471.

cpython/Lib/http/cookiejar.py

Line 54 in bb4c167

HTTPONLY_PREFIX = "#HttpOnly_"

cpython/Lib/http/cookiejar.py

Lines 2116 to 2117 in bb4c167

	if cookie.has_nonstandard_attr(HTTPONLY_ATTR):
	domain = HTTPONLY_PREFIX + domain

Cause:

In implementation, the HttpOnly attribute is written to the _rest dict.
The key for this is defined as a constant, HTTPONLY_ATTR = "HTTPOnly".

Typically, this attribute is "HttpOnly". According to HTTP and cookie specifications, attribute names are case-insensitive as per RFC6265, so transmitting a key as "HTTPOnly" should not be an issue. However, http.cookiejar.Cookie.has_nonstandard_attr() is case-sensitive, and thus cannot create a prefix from the "HttpOnly" key.

Proposed changes:

• Change HTTPONLY_ATTR to "HttpOnly".
• Add a case_insensitive option to the has_nonstandard_attr() method, or define a new method.

Bug example:

Confirmation of curl's operation

curl -c cookies_curl.txt https://www.google.com >/dev/null

cookies_curl.txt

# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_.google.com   TRUE    /       FALSE   1720370643      NID     511=dubU9NnkyvPy81Arm27NwT4dmRQb-2Bp26u_yqqpYIWLGrxDqmrvV4ohLKP_YHu8uN2ZL4KOxMzhiaIiMmO7NODRgqUcJqv4hofwCBNBF0ba6JISBYybEWhTO3IpU2haTzOPtZHg7U3Wr6o9iw8ChFTR4ZhN5Tsh9YrXEEJBowE
#HttpOnly_.google.com   TRUE    /       TRUE    1720111443      AEC     Ackid1R3qr8JQRcTH038et4qh_mcMm7d-9lKMQEK_L-5kIbuw9mpEGjajg
.google.com     TRUE    /       TRUE    1707151443      1P_JAR  2024-01-06-16

MozillaCookieJar's operation

It can understand curl's HttpOnly prefix, but cannot create the prefix from the http response.

from http.cookiejar import MozillaCookieJar
from urllib.request import build_opener, HTTPCookieProcessor

jar = MozillaCookieJar("cookies_curl.txt")
jar.load()

print(*[(cookie.name, cookie._rest) for cookie in jar])
# ('NID', {'HTTPOnly': ''}) ('AEC', {'HTTPOnly': ''}) ('1P_JAR', {})
# CookieJar read prefixes as "HTTPOnly"

opener = build_opener(HTTPCookieProcessor(jar))
opener.open("https://www.google.com")

print(*[(cookie.name, cookie._rest) for cookie in jar])
# ('NID', {'HttpOnly': None}) ('AEC', {'HTTPOnly': ''}) ('1P_JAR', {})
# the response updated "NID"

jar.save(filename="cookies_python.txt")

cookies_python.txt

# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This is a generated file!  Do not edit.

.google.com     TRUE    /       FALSE   1720370643      NID     511=QoMVKYl3KurjivLZCJDlSBuTB-FwYbV8Av0IAKJKOQWSsID-aMwPG1Dv7P9HUwy-SVZc_tpxJoBA5fGeinGGcxzpjvz7Rzt7X-_pJx8iv2ccKpQCnE4wpHPyAxQGlLObeoXb-627wEOtED82GUx9XiRiQDwGksML3usFANOTdUM
#HttpOnly_.google.com   TRUE    /       TRUE    1720111443      AEC     Ackid1R3qr8JQRcTH038et4qh_mcMm7d-9lKMQEK_L-5kIbuw9mpEGjajg
.google.com     TRUE    /       TRUE    1707151463      1P_JAR  2024-01-06-16

CPython versions tested on:

3.10, 3.11, 3.12

Operating systems tested on:

Linux, Windows

Linked PRs

• gh-113775: Fix HttpOnly Prefix Issue in MozillaCookieJar.save method #113795

[kairi003]

Following the advice in https://devguide.python.org/getting-started/pull-request-lifecycle/, I'm pinging this issue after ~1mo to see if any reviewers have time to look at this.