Merge pull request #2676 from DimitarChristoff/feature-httponly-cookie

httpOnly cookies

Author: Arian Stolwijk

Docs/Utilities/Cookie.md

@@ -8,6 +8,7 @@ Reads and writes a cookie.
 * path     - (*string*: defaults to '/') The path the cookie belongs to.
 * duration - (*number*: defaults to false) The duration of the cookie (in days) before it expires. If set to false or 0, the cookie will be a session cookie that expires when the browser is closed.
 * secure   - (*boolean*: defaults to false) Stored cookie information can be accessed only from a secure environment.
+* httpOnly - (*boolean*: defaults to false) Stored cookie information can be accessed only on the server.
 
 ## Cookie Method: write {#Cookie:write}
 

Source/Utilities/Cookie.js

@@ -27,7 +27,8 @@ var Cookie = new Class({
 		duration: false,
 		secure: false,
 		document: document,
-		encode: true
+		encode: true,
+		httpOnly: false
 	},
 
 	initialize: function(key, options){
@@ -45,6 +46,7 @@ var Cookie = new Class({
 			value += '; expires=' + date.toGMTString();
 		}
 		if (this.options.secure) value += '; secure';
+		if (this.options.httpOnly) value += '; HttpOnly';
 		this.options.document.cookie = this.key + '=' + value;
 		return this;
 	},

Specs/Utilities/Cookie.js

@@ -28,4 +28,12 @@ describe('Cookie', function(){
 		expect(Cookie.read('key', options)).toBeNull();
 	});
 
+	it('should set HttpCookie flag correctly', function(){
+		Cookie.write('http-key', 'value', {
+			httpOnly: true
+		});
+
+		expect(Cookie.read('http-key')).toBeNull();
+	});
+
 });