RFR 7095980: Ensure HttpURLConnection (and supporting APIs) don't expose HttpOnly cookies
Michael McMahon
michael.x.mcmahon at oracle.com
Fri Dec 16 07:43:19 PST 2011
On 15/12/11 15:00, Chris Hegarty wrote:
> CR 7095980: Ensure HttpURLConnection (and supporting APIs) don't
> expose HttpOnly cookies
>
> The changes use the internal/private java.net.HttpCookie parsing
> implementation to filter out HttpOnly cookies from the Set-Cookie and
> Set-Cookie2 headers returned in the HTTP protocol handler. With this
> change I believe the HTTP protocol suitably protects HttpOnly cookies.
>
> http://cr.openjdk.java.net/~chegar/7095980/webrev.00/webrev/
>
> It reuses the internal java.net.HttpCookie parsing implementation
> rather than trying to maintain two separate parsing implementations.
> This is a little ugly since it is private and in the public java.net
> namespace, but I believe a shared secret is the best approach here. We
> could have moved the implementation itself into sun.net and just made
> it public, but I felt it cleaner to leave it as is.
>
> Thanks,
> -Chris.
Looks good to me.
- Michael.
More information about the net-dev
mailing list