6873543: CookieManager doesn't enforce httpOnly
Summary: Adds check for httpOnly tag and clarifies javadoc
Reviewed-by: chegar
--- a/jdk/src/share/classes/java/net/CookieHandler.java Wed Oct 21 00:12:59 2009 -0700
+++ b/jdk/src/share/classes/java/net/CookieHandler.java Wed Oct 21 13:42:39 2009 +0200
@@ -101,11 +101,21 @@
* Gets all the applicable cookies from a cookie cache for the
* specified uri in the request header.
*
- * HTTP protocol implementers should make sure that this method is
+ * <P>The {@code URI} passed as an argument specifies the intended use for
+ * the cookies. In particular the scheme should reflect whether the cookies
+ * will be sent over http, https or used in another context like javascript.
+ * The host part should reflect either the destination of the cookies or
+ * their origin in the case of javascript.</P>
+ * <P>It is up to the implementation to take into account the {@code URI} and
+ * the cookies attributes and security settings to determine which ones
+ * should be returned.</P>
+ *
+ * <P>HTTP protocol implementers should make sure that this method is
* called after all request headers related to choosing cookies
- * are added, and before the request is sent.
+ * are added, and before the request is sent.</P>
*
- * @param uri a <code>URI</code> to send cookies to in a request
+ * @param uri a <code>URI</code> representing the intended use for the
+ * cookies
* @param requestHeaders - a Map from request header
* field names to lists of field values representing
* the current request headers
--- a/jdk/src/share/classes/java/net/CookieManager.java Wed Oct 21 00:12:59 2009 -0700
+++ b/jdk/src/share/classes/java/net/CookieManager.java Wed Oct 21 13:42:39 2009 +0200
@@ -218,6 +218,13 @@
// 'secure' cookies over unsecure links)
if (pathMatches(path, cookie.getPath()) &&
(secureLink || !cookie.getSecure())) {
+ // Enforce httponly attribute
+ if (cookie.isHttpOnly()) {
+ String s = uri.getScheme();
+ if (!"http".equalsIgnoreCase(s) && !"https".equalsIgnoreCase(s)) {
+ continue;
+ }
+ }
// Let's check the authorize port list if it exists
String ports = cookie.getPortlist();
if (ports != null && !ports.isEmpty()) {
--- a/jdk/test/java/net/CookieHandler/B6644726.java Wed Oct 21 00:12:59 2009 -0700
+++ b/jdk/test/java/net/CookieHandler/B6644726.java Wed Oct 21 13:42:39 2009 +0200
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 6644726
+ * @bug 6644726 6873543
* @summary Cookie management issues
*/
@@ -170,6 +170,28 @@
if (isIn(clst, "myCookie8=")) {
fail("A cookie with an invalid port list was returned");
}
+
+ // Test httpOnly flag (CR# 6873543)
+ lst.clear();
+ map.clear();
+ cm.getCookieStore().removeAll();
+ lst.add("myCookie11=httpOnlyTest; httpOnly");
+ map.put("Set-Cookie", lst);
+ uri = new URI("http://www.sun.com/");
+ cm.put(uri, map);
+ m = cm.get(uri, emptyMap);
+ clst = m.get("Cookie");
+ // URI scheme was http: so we should get the cookie
+ if (!isIn(clst, "myCookie11=")) {
+ fail("Missing cookie with httpOnly flag");
+ }
+ uri = new URI("javascript://www.sun.com/");
+ m = cm.get(uri, emptyMap);
+ clst = m.get("Cookie");
+ // URI scheme was neither http or https so we shouldn't get the cookie
+ if (isIn(clst, "myCookie11=")) {
+ fail("Should get the cookie with httpOnly when scheme is javascript:");
+ }
}
private static boolean isIn(List<String> lst, String cookie) {