CR: 7183292: HttpURLConnection.getHeaderFields() throws IllegalArgumentException: Illegal cookie name

Michael McMahon michael.x.mcmahon at oracle.com
Wed Jul 18 10:47:35 PDT 2012 

This is the same change for 7u6. The change is identical.

http://cr.openjdk.java.net/~michaelm/7183292/webrev.7u6.2/

Thanks,
Michael


On 18/07/12 18:38, Michael McMahon wrote:
> Thanks Kurchi.
>
> I have made one small change to another test, which was specifically 
> testing the $name assertion.
> So, that test had to be removed.
>
> The new webrev is at :
>
> http://cr.openjdk.java.net/~michaelm/7183292/webrev.3/
>
> - Michael
>
> On 17/07/12 18:15, Kurchi Subhra Hazra wrote:
>> I have read the sections dealing with cookie-name in 6265, and these 
>> changes look good to me.
>>
>> - Kurchi
>>
>> On 7/17/12 7:32 AM, Michael McMahon wrote:
>>>
>>> Thanks for reviewing this Chris. On the question of whether $ should 
>>> be allowed
>>> in cookie names, it appears like that restriction has been removed 
>>> from RFC 6265,
>>> which is evidently a fairly comprehensive description of actual 
>>> cookie usage on the web.
>>> So, maybe we should just leave that out as well - assuming that it 
>>> is being used in places
>>> (albeit in contravention of the older RFC). What do you think?
>>>
>>> - Michael
>>>
>>> On 17/07/2012 14:18, Chris Hegarty wrote:
>>>> On 17/07/2012 10:17, Michael McMahon wrote:
>>>>> Hi,
>>>>>
>>>>> Could I get the following change reviewed please?
>>>>>
>>>>> http://cr.openjdk.java.net/~michaelm/7183292/webrev.1/
>>>>>
>>>>> Since 7u4, we are parsing all incoming cookies via the HttpCookie 
>>>>> class.
>>>>> This class has had a restriction on cookie names that is causing this
>>>>> problem
>>>>> and which is not required by any of the cookie specifications, as 
>>>>> far as
>>>>> I can see,
>>>>> (rfc 2965, and 6265 which obsoletes 2965).
>>>>
>>>> Right, this is my reading of the RFC's also. In fact, RFC 2965 
>>>> explicitly states that "the NAME of a cookie MAY be the same as one 
>>>> of the attributes in this specification".
>>>>
>>>>> The restriction was that cookie names could not be the same (case
>>>>> insensitively)
>>>>> as any of the attribute names (eg. Domain). So, the change is to 
>>>>> remove
>>>>> the restriction.
>>>>
>>>> Yes, this makes sense to me.
>>>>
>>>> One comment on the webrev is that isReserved also enforces that the 
>>>> name cannot start with a '$', from 2965: "NAMEs that begin with $ 
>>>> are reserved and MUST NOT be used by applications." I think you may 
>>>> need to minimally reintroduce this. Otherwise, the changes look 
>>>> good to me.
>>>>
>>>> -Chris.
>>>>
>>>>>
>>>>> Thanks,
>>>>> Michael
>>>
>>
>

More information about the net-dev mailing list