6692802: HttpCookie needs to support HttpOnly attribute
Summary: Added HttpOnly tag support to HttpCookie class.
Reviewed-by: chegar, michaelm
--- a/jdk/src/share/classes/java/net/HttpCookie.java Mon Sep 01 17:11:58 2008 +0200
+++ b/jdk/src/share/classes/java/net/HttpCookie.java Thu Sep 04 15:26:53 2008 +0200
@@ -75,6 +75,7 @@
private String path; // Path=VALUE ... URLs that see the cookie
private String portlist; // Port[="portlist"] ... the port cookie may be returned to
private boolean secure; // Secure ... e.g. use SSL
+ private boolean httpOnly; // HttpOnly ... i.e. not accessible to scripts
private int version = 1; // Version=1 ... RFC 2965 style
//
@@ -656,6 +657,32 @@
version = v;
}
+ /**
+ * Returns {@code true} if this cookie contains the <i>HttpOnly</i>
+ * attribute. This means that the cookie should not be accessible to
+ * scripting engines, like javascript.
+ *
+ * @return {@code true} if this cookie should be considered http only.
+ * @see #setHttpOnly(boolean)
+ */
+ public boolean isHttpOnly()
+ {
+ return httpOnly;
+ }
+
+ /**
+ * Indicates whether the cookie should be considered HTTP Only. If set to
+ * {@code true} it means the cookie should not be accessible to scripting
+ * engines like javascript.
+ *
+ * @param httpOnly if {@code true} make the cookie HTTP only, i.e.
+ * only visible as part of an HTTP request.
+ * @see #isHttpOnly()
+ */
+ public void setHttpOnly(boolean httpOnly)
+ {
+ this.httpOnly = httpOnly;
+ }
/**
* The utility method to check whether a host name is in a domain
@@ -877,6 +904,7 @@
|| name.equalsIgnoreCase("Port") // rfc2965 only
|| name.equalsIgnoreCase("Secure")
|| name.equalsIgnoreCase("Version")
+ || name.equalsIgnoreCase("HttpOnly")
|| name.charAt(0) == '$')
{
return true;
@@ -996,6 +1024,11 @@
cookie.setSecure(true);
}
});
+ assignors.put("httponly", new CookieAttributeAssignor(){
+ public void assign(HttpCookie cookie, String attrName, String attrValue) {
+ cookie.setHttpOnly(true);
+ }
+ });
assignors.put("version", new CookieAttributeAssignor(){
public void assign(HttpCookie cookie, String attrName, String attrValue) {
try {
--- a/jdk/test/java/net/CookieHandler/TestHttpCookie.java Mon Sep 01 17:11:58 2008 +0200
+++ b/jdk/test/java/net/CookieHandler/TestHttpCookie.java Thu Sep 04 15:26:53 2008 +0200
@@ -24,7 +24,7 @@
/**
* @test
* @summary Unit test for java.net.HttpCookie
- * @bug 6244040 6277796 6277801 6277808 6294071
+ * @bug 6244040 6277796 6277801 6277808 6294071 6692802
* @author Edward Wang
*/
@@ -178,6 +178,19 @@
}
TestHttpCookie port(String p) { return port(0, p); }
+ // check http only
+ TestHttpCookie httpOnly(int index, boolean b) {
+ HttpCookie cookie = cookies.get(index);
+ if (cookie == null || b != cookie.isHttpOnly()) {
+ raiseError("HttpOnly", String.valueOf(cookie.isHttpOnly()), String.valueOf(b));
+ }
+ return this;
+ }
+
+ TestHttpCookie httpOnly(boolean b) {
+ return httpOnly(0, b);
+ }
+
// check equality
static void eq(HttpCookie ck1, HttpCookie ck2, boolean same) {
testCount++;
@@ -362,6 +375,10 @@
} catch (IllegalArgumentException ignored) {
// expected exception; no-op
}
+
+ // CR 6692802: HttpOnly flag
+ test("set-cookie: CUSTOMER=WILE_E_COYOTE;HttpOnly").httpOnly(true);
+ test("set-cookie: CUSTOMER=WILE_E_COYOTE").httpOnly(false);
}
static void header(String prompt) {