--- a/jdk/src/share/classes/java/net/HttpCookie.java	Thu Sep 04 14:46:36 2008 +0200
+++ b/jdk/src/share/classes/java/net/HttpCookie.java	Fri Sep 05 00:43:26 2008 -0700
@@ -75,6 +75,7 @@
     private String path;        // Path=VALUE ... URLs that see the cookie
     private String portlist;    // Port[="portlist"] ... the port cookie may be returned to
     private boolean secure;     // Secure ... e.g. use SSL
+    private boolean httpOnly;   // HttpOnly ... i.e. not accessible to scripts
     private int version = 1;    // Version=1 ... RFC 2965 style
 
     //
@@ -656,6 +657,32 @@
         version = v;
     }
 
+    /**
+     * Returns {@code true} if this cookie contains the <i>HttpOnly</i>
+     * attribute. This means that the cookie should not be accessible to
+     * scripting engines, like javascript.
+     *
+     * @return {@code true} if this cookie should be considered http only.
+     * @see #setHttpOnly(boolean)
+     */
+    public boolean isHttpOnly()
+    {
+        return httpOnly;
+    }
+
+    /**
+     * Indicates whether the cookie should be considered HTTP Only. If set to
+     * {@code true} it means the cookie should not be accessible to scripting
+     * engines like javascript.
+     *
+     * @param httpOnly if {@code true} make the cookie HTTP only, i.e.
+     *                 only visible as part of an HTTP request.
+     * @see #isHttpOnly()
+     */
+    public void setHttpOnly(boolean httpOnly)
+    {
+        this.httpOnly = httpOnly;
+    }
 
     /**
      * The utility method to check whether a host name is in a domain
@@ -877,6 +904,7 @@
             || name.equalsIgnoreCase("Port")            // rfc2965 only
             || name.equalsIgnoreCase("Secure")
             || name.equalsIgnoreCase("Version")
+            || name.equalsIgnoreCase("HttpOnly")
             || name.charAt(0) == '$')
         {
             return true;
@@ -996,6 +1024,11 @@
                     cookie.setSecure(true);
                 }
             });
+        assignors.put("httponly", new CookieAttributeAssignor(){
+                public void assign(HttpCookie cookie, String attrName, String attrValue) {
+                    cookie.setHttpOnly(true);
+                }
+            });
         assignors.put("version", new CookieAttributeAssignor(){
                 public void assign(HttpCookie cookie, String attrName, String attrValue) {
                     try {

--- a/jdk/test/java/net/CookieHandler/TestHttpCookie.java	Thu Sep 04 14:46:36 2008 +0200
+++ b/jdk/test/java/net/CookieHandler/TestHttpCookie.java	Fri Sep 05 00:43:26 2008 -0700
@@ -24,7 +24,7 @@
 /**
  * @test
  * @summary Unit test for java.net.HttpCookie
- * @bug 6244040 6277796 6277801 6277808 6294071
+ * @bug 6244040 6277796 6277801 6277808 6294071 6692802
  * @author Edward Wang
  */
 
@@ -178,6 +178,19 @@
     }
     TestHttpCookie port(String p) { return port(0, p); }
 
+    // check http only
+    TestHttpCookie httpOnly(int index, boolean b) {
+        HttpCookie cookie = cookies.get(index);
+        if (cookie == null || b != cookie.isHttpOnly()) {
+            raiseError("HttpOnly", String.valueOf(cookie.isHttpOnly()), String.valueOf(b));
+        }
+        return this;
+    }
+
+    TestHttpCookie httpOnly(boolean b) {
+        return httpOnly(0, b);
+    }
+
     // check equality
     static void eq(HttpCookie ck1, HttpCookie ck2, boolean same) {
         testCount++;
@@ -362,6 +375,10 @@
         } catch (IllegalArgumentException ignored) {
             // expected exception; no-op
         }
+
+        // CR 6692802: HttpOnly flag
+        test("set-cookie: CUSTOMER=WILE_E_COYOTE;HttpOnly").httpOnly(true);
+        test("set-cookie: CUSTOMER=WILE_E_COYOTE").httpOnly(false);
     }
 
     static void header(String prompt) {