changeset 1788:5ab37d9d9260

6873543: CookieManager doesn't enforce httpOnly Summary: Adds check for httpOnly tag and clarifies javadoc Reviewed-by: chegar
author jccollet
date Wed, 21 Oct 2009 13:42:39 +0200
parents b0433598e26d
children 75c453fa1aa1 ae42baa10318
files src/share/classes/java/net/CookieHandler.java src/share/classes/java/net/CookieManager.java test/java/net/CookieHandler/B6644726.java
diffstat 3 files changed, 43 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/java/net/CookieHandler.java	Wed Oct 21 00:12:59 2009 -0700
+++ b/src/share/classes/java/net/CookieHandler.java	Wed Oct 21 13:42:39 2009 +0200
@@ -101,11 +101,21 @@
      * Gets all the applicable cookies from a cookie cache for the
      * specified uri in the request header.
      *
-     * HTTP protocol implementers should make sure that this method is
+     * <P>The {@code URI} passed as an argument specifies the intended use for
+     * the cookies. In particular the scheme should reflect whether the cookies
+     * will be sent over http, https or used in another context like javascript.
+     * The host part should reflect either the destination of the cookies or
+     * their origin in the case of javascript.</P>
+     * <P>It is up to the implementation to take into account the {@code URI} and
+     * the cookies attributes and security settings to determine which ones
+     * should be returned.</P>
+     *
+     * <P>HTTP protocol implementers should make sure that this method is
      * called after all request headers related to choosing cookies
-     * are added, and before the request is sent.
+     * are added, and before the request is sent.</P>
      *
-     * @param uri a <code>URI</code> to send cookies to in a request
+     * @param uri a <code>URI</code> representing the intended use for the
+     *            cookies
      * @param requestHeaders - a Map from request header
      *            field names to lists of field values representing
      *            the current request headers
--- a/src/share/classes/java/net/CookieManager.java	Wed Oct 21 00:12:59 2009 -0700
+++ b/src/share/classes/java/net/CookieManager.java	Wed Oct 21 13:42:39 2009 +0200
@@ -218,6 +218,13 @@
             // 'secure' cookies over unsecure links)
             if (pathMatches(path, cookie.getPath()) &&
                     (secureLink || !cookie.getSecure())) {
+                // Enforce httponly attribute
+                if (cookie.isHttpOnly()) {
+                    String s = uri.getScheme();
+                    if (!"http".equalsIgnoreCase(s) && !"https".equalsIgnoreCase(s)) {
+                        continue;
+                    }
+                }
                 // Let's check the authorize port list if it exists
                 String ports = cookie.getPortlist();
                 if (ports != null && !ports.isEmpty()) {
--- a/test/java/net/CookieHandler/B6644726.java	Wed Oct 21 00:12:59 2009 -0700
+++ b/test/java/net/CookieHandler/B6644726.java	Wed Oct 21 13:42:39 2009 +0200
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 6644726
+ * @bug 6644726 6873543
  * @summary Cookie management issues
  */
 
@@ -170,6 +170,28 @@
         if (isIn(clst, "myCookie8=")) {
             fail("A cookie with an invalid port list was returned");
         }
+
+        // Test httpOnly flag (CR# 6873543)
+        lst.clear();
+        map.clear();
+        cm.getCookieStore().removeAll();
+        lst.add("myCookie11=httpOnlyTest; httpOnly");
+        map.put("Set-Cookie", lst);
+        uri = new URI("http://www.sun.com/");
+        cm.put(uri, map);
+        m = cm.get(uri, emptyMap);
+        clst = m.get("Cookie");
+        // URI scheme was http: so we should get the cookie
+        if (!isIn(clst, "myCookie11=")) {
+            fail("Missing cookie with httpOnly flag");
+        }
+        uri = new URI("javascript://www.sun.com/");
+        m = cm.get(uri, emptyMap);
+        clst = m.get("Cookie");
+        // URI scheme was neither http or https so we shouldn't get the cookie
+        if (isIn(clst, "myCookie11=")) {
+            fail("Should get the cookie with httpOnly when scheme is javascript:");
+        }
     }
 
     private static boolean isIn(List<String> lst, String cookie) {