Seehttp://tools.ietf.org/html/rfc6265#section-5.2.6Relevant section:---5.2.6. The HttpOnly AttributeIf the attribute-name case-insensitively matches the string HttpOnly", the user agent MUST append an attribute to the cookie-attribute-list with an attribute-name of HttpOnly and an empty attribute-value....If the cookie-attribute-list contains an attribute with an attribute-name of "HttpOnly", set the cookie's http-only-flag to true. Otherwise, set the cookie's http-only-flag to false.---http.cookies creates this attribute as `httponly` not `HttpOnly`.It is true, when interpreted by the user agent, this attribute is case insensitive, but it seems odd that Python would go out of its way to purposely use a different case then stated in the standard. When looking at other web technologies, the case used in the standard is most typical. The examples in the standard also use the `HttpOnly` style.(Same applies to the Secure flag.)

New changeset0d8380c493ad by Benjamin Peterson in branch '3.4':capitialize "HttpOnly" and "Secure" as they appear in the standard and other impls (closes#23250)https://hg.python.org/cpython/rev/0d8380c493ad