Make the default HTTP server configuration more secure

sdk/lib/io/http_headers.dart

Index: sdk/lib/io/http_headers.dart
diff --git a/sdk/lib/io/http_headers.dart b/sdk/lib/io/http_headers.dart
index f621fff07fa1fc8e4246393737fc110480e49b4d..3d6a994bf73247e07971a8524b057f32a68bdd3b 100644
--- a/sdk/lib/io/http_headers.dart
+++ b/sdk/lib/io/http_headers.dart
@@ -252,6 +252,10 @@ class _HttpHeaders implements HttpHeaders {
     _set(HttpHeaders.CONTENT_TYPE, contentType.toString());
   }
 
+  void clear() {
+    _headers.clear();

[Anders Johnsen, 2014/08/08 06:15:45]

What about all the fields?

Please add test with e.g. 

var headers = ...;
headers.contentLength = 0;
headers.clear();
Expect.equals(headers.contentLength, -1);

[Søren Gjesse, 2014/08/11 14:10:09]

Done.

+  }
+
   // [name] must be a lower-case version of the name.
   void _add(String name, value) {
     assert(name == _validateField(name));
@@ -797,7 +801,7 @@ class _Cookie implements Cookie {
   int maxAge;
   String domain;
   String path;
-  bool httpOnly = false;
+  bool httpOnly = true;
   bool secure = false;
 
   _Cookie([this.name, this.value]) {
@@ -805,6 +809,7 @@ class _Cookie implements Cookie {
   }
 
   _Cookie.fromSetCookieValue(String value) {
+    httpOnly = false;

[Anders Johnsen, 2014/08/08 06:15:45]

Is this because of spec? Can you add comment?

[Søren Gjesse, 2014/08/11 14:10:09]

Changed the default back to false, and set it to true in the non-parsing
constructor. Added a comment there.

     // Parse the 'set-cookie' header value.
     _parseSetCookieValue(value);
   }