RFR 7095980: Ensure HttpURLConnection (and supporting APIs) don't expose HttpOnly cookies
Chris Hegarty
chris.hegarty at oracle.com
Thu Dec 15 07:00:10 PST 2011
CR 7095980: Ensure HttpURLConnection (and supporting APIs) don't expose
HttpOnly cookies
The changes use the internal/private java.net.HttpCookie parsing
implementation to filter out HttpOnly cookies from the Set-Cookie and
Set-Cookie2 headers returned in the HTTP protocol handler. With this
change I believe the HTTP protocol suitably protects HttpOnly cookies.
http://cr.openjdk.java.net/~chegar/7095980/webrev.00/webrev/
It reuses the internal java.net.HttpCookie parsing implementation rather
than trying to maintain two separate parsing implementations. This is a
little ugly since it is private and in the public java.net namespace,
but I believe a shared secret is the best approach here. We could have
moved the implementation itself into sun.net and just made it public,
but I felt it cleaner to leave it as is.
Thanks,
-Chris.
More information about the net-dev
mailing list