make cookies httponly by default

we don't need or want cookie access in js
10 years ago · 07c4d23cad
parent 417b17450e
commit 07c4d23cad
1 changed files with 1 additions and 0 deletions
--- a/notebook/auth/login.py
+++ b/notebook/auth/login.py
@ -40,6 +40,7 @@ class LoginHandler(IPythonHandler):
    def post(self):
        typed_password = self.get_argument('password', default=u'')
        cookie_options = self.settings.get('cookie_options', {})
+        cookie_options.setdefault('httponly', True)
        if self.login_available(self.settings):
            if passwd_check(self.hashed_password, typed_password):
                # tornado <4.2 has a bug that considers secure==True as soon as