提交 dc16d53b 编写于 作者: J jccollet

6873543: CookieManager doesn't enforce httpOnly

Summary: Adds check for httpOnly tag and clarifies javadoc
Reviewed-by: chegar
上级 316413c2
...@@ -101,11 +101,21 @@ public abstract class CookieHandler { ...@@ -101,11 +101,21 @@ public abstract class CookieHandler {
* Gets all the applicable cookies from a cookie cache for the * Gets all the applicable cookies from a cookie cache for the
* specified uri in the request header. * specified uri in the request header.
* *
* HTTP protocol implementers should make sure that this method is * <P>The {@code URI} passed as an argument specifies the intended use for
* the cookies. In particular the scheme should reflect whether the cookies
* will be sent over http, https or used in another context like javascript.
* The host part should reflect either the destination of the cookies or
* their origin in the case of javascript.</P>
* <P>It is up to the implementation to take into account the {@code URI} and
* the cookies attributes and security settings to determine which ones
* should be returned.</P>
*
* <P>HTTP protocol implementers should make sure that this method is
* called after all request headers related to choosing cookies * called after all request headers related to choosing cookies
* are added, and before the request is sent. * are added, and before the request is sent.</P>
* *
* @param uri a <code>URI</code> to send cookies to in a request * @param uri a <code>URI</code> representing the intended use for the
* cookies
* @param requestHeaders - a Map from request header * @param requestHeaders - a Map from request header
* field names to lists of field values representing * field names to lists of field values representing
* the current request headers * the current request headers
......
...@@ -218,6 +218,13 @@ public class CookieManager extends CookieHandler ...@@ -218,6 +218,13 @@ public class CookieManager extends CookieHandler
// 'secure' cookies over unsecure links) // 'secure' cookies over unsecure links)
if (pathMatches(path, cookie.getPath()) && if (pathMatches(path, cookie.getPath()) &&
(secureLink || !cookie.getSecure())) { (secureLink || !cookie.getSecure())) {
// Enforce httponly attribute
if (cookie.isHttpOnly()) {
String s = uri.getScheme();
if (!"http".equalsIgnoreCase(s) && !"https".equalsIgnoreCase(s)) {
continue;
}
}
// Let's check the authorize port list if it exists // Let's check the authorize port list if it exists
String ports = cookie.getPortlist(); String ports = cookie.getPortlist();
if (ports != null && !ports.isEmpty()) { if (ports != null && !ports.isEmpty()) {
......
...@@ -23,7 +23,7 @@ ...@@ -23,7 +23,7 @@
/* /*
* @test * @test
* @bug 6644726 * @bug 6644726 6873543
* @summary Cookie management issues * @summary Cookie management issues
*/ */
...@@ -170,6 +170,28 @@ public class B6644726 { ...@@ -170,6 +170,28 @@ public class B6644726 {
if (isIn(clst, "myCookie8=")) { if (isIn(clst, "myCookie8=")) {
fail("A cookie with an invalid port list was returned"); fail("A cookie with an invalid port list was returned");
} }
// Test httpOnly flag (CR# 6873543)
lst.clear();
map.clear();
cm.getCookieStore().removeAll();
lst.add("myCookie11=httpOnlyTest; httpOnly");
map.put("Set-Cookie", lst);
uri = new URI("http://www.sun.com/");
cm.put(uri, map);
m = cm.get(uri, emptyMap);
clst = m.get("Cookie");
// URI scheme was http: so we should get the cookie
if (!isIn(clst, "myCookie11=")) {
fail("Missing cookie with httpOnly flag");
}
uri = new URI("javascript://www.sun.com/");
m = cm.get(uri, emptyMap);
clst = m.get("Cookie");
// URI scheme was neither http or https so we shouldn't get the cookie
if (isIn(clst, "myCookie11=")) {
fail("Should get the cookie with httpOnly when scheme is javascript:");
}
} }
private static boolean isIn(List<String> lst, String cookie) { private static boolean isIn(List<String> lst, String cookie) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册