diff --git a/src/share/classes/java/net/CookieHandler.java b/src/share/classes/java/net/CookieHandler.java index 0de42ac43f03eb28c1f9c8cd331241b684c7c1f8..1bdfe3c8577f08e783da334bb73aa52230d4ac14 100644 --- a/src/share/classes/java/net/CookieHandler.java +++ b/src/share/classes/java/net/CookieHandler.java @@ -101,11 +101,21 @@ public abstract class CookieHandler { * Gets all the applicable cookies from a cookie cache for the * specified uri in the request header. * - * HTTP protocol implementers should make sure that this method is + *
The {@code URI} passed as an argument specifies the intended use for + * the cookies. In particular the scheme should reflect whether the cookies + * will be sent over http, https or used in another context like javascript. + * The host part should reflect either the destination of the cookies or + * their origin in the case of javascript.
+ *It is up to the implementation to take into account the {@code URI} and + * the cookies attributes and security settings to determine which ones + * should be returned.
+ * + *HTTP protocol implementers should make sure that this method is * called after all request headers related to choosing cookies - * are added, and before the request is sent. + * are added, and before the request is sent.
* - * @param uri aURI
to send cookies to in a request
+ * @param uri a URI
representing the intended use for the
+ * cookies
* @param requestHeaders - a Map from request header
* field names to lists of field values representing
* the current request headers
diff --git a/src/share/classes/java/net/CookieManager.java b/src/share/classes/java/net/CookieManager.java
index 95de8c0db3bb9a40be2e0354f03c64da27a5a1bc..57038fcdbf2b04c84fb4b82594e8ce3f5bbc4835 100644
--- a/src/share/classes/java/net/CookieManager.java
+++ b/src/share/classes/java/net/CookieManager.java
@@ -218,6 +218,13 @@ public class CookieManager extends CookieHandler
// 'secure' cookies over unsecure links)
if (pathMatches(path, cookie.getPath()) &&
(secureLink || !cookie.getSecure())) {
+ // Enforce httponly attribute
+ if (cookie.isHttpOnly()) {
+ String s = uri.getScheme();
+ if (!"http".equalsIgnoreCase(s) && !"https".equalsIgnoreCase(s)) {
+ continue;
+ }
+ }
// Let's check the authorize port list if it exists
String ports = cookie.getPortlist();
if (ports != null && !ports.isEmpty()) {
diff --git a/test/java/net/CookieHandler/B6644726.java b/test/java/net/CookieHandler/B6644726.java
index e153bbd937be19aaf551f300a92bced2b6da1391..a7a330d70c362f596ac27ca8cfbf96d7421df92b 100644
--- a/test/java/net/CookieHandler/B6644726.java
+++ b/test/java/net/CookieHandler/B6644726.java
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 6644726
+ * @bug 6644726 6873543
* @summary Cookie management issues
*/
@@ -170,6 +170,28 @@ public class B6644726 {
if (isIn(clst, "myCookie8=")) {
fail("A cookie with an invalid port list was returned");
}
+
+ // Test httpOnly flag (CR# 6873543)
+ lst.clear();
+ map.clear();
+ cm.getCookieStore().removeAll();
+ lst.add("myCookie11=httpOnlyTest; httpOnly");
+ map.put("Set-Cookie", lst);
+ uri = new URI("http://www.sun.com/");
+ cm.put(uri, map);
+ m = cm.get(uri, emptyMap);
+ clst = m.get("Cookie");
+ // URI scheme was http: so we should get the cookie
+ if (!isIn(clst, "myCookie11=")) {
+ fail("Missing cookie with httpOnly flag");
+ }
+ uri = new URI("javascript://www.sun.com/");
+ m = cm.get(uri, emptyMap);
+ clst = m.get("Cookie");
+ // URI scheme was neither http or https so we shouldn't get the cookie
+ if (isIn(clst, "myCookie11=")) {
+ fail("Should get the cookie with httpOnly when scheme is javascript:");
+ }
}
private static boolean isIn(List