How to get Secure & non-HttpOnly cookies from CookieHandler

Vasiliy Baranov vasiliy.baranov at oracle.com
Fri Jun 14 09:15:58 PDT 2013 

On 14.06.2013 19:32, Chris Hegarty wrote:
> Hi Vasiliy,
>
> On 14/06/2013 09:48, Vasiliy Baranov wrote:
>> Greetings,
>>
>> Suppose I need to call java.net.CookieHandler.get(URI uri,
>> Map<String,List<String>> requestHeaders) and need to filter out
>> 'HttpOnly' cookies from the result. My understanding is in that case I
>> should call CookieHandler.get with a URI starting with "javascript://"
>> or any other non-HTTP scheme.
>
> Yes, that will certainly work, but I admit it is a little odd.
>
>> Now what if I need to exclude 'HttpOnly' cookies but include 'Secure'
>> non-'HttpOnly' cookies? Which scheme should I use in the URI in that
>> case? "javascripts"?
>
> 'javascripts' will not work. Currently only 'https' is supported for
> 'Secure' cookie.

Hi Chris,

Thank you for clarifying these.

By will not work you mean it will not work with stock CookieHandler 
implementations such as java.net.CookieManager and plugin cookie handlers?

At this point I am mostly interested in knowing how your team thinks it 
should work in the ideal world, that is, from the specification point of 
view.

The use case I have is JavaFX WebView's implementation for the 
'document.cookie' object which needs to return secure cookies if the web 
page has been obtained via a secure channel but filter out secure 
cookies otherwise (obviously, HttpOnly cookies must be filtered out in 
either case).

FWIW, WebView has its own CookieHandler implementation that gets 
installed automatically as the default CookieHandler if there is no 
default CookieHandler installed yet. In the current WebView 
implementation, "javascript" is the only scheme that allows filtering 
out HttpOnly cookies as you are describing above, so it cannot 
differentiate between secure and non-secure channels and hence has to 
exclude secure cookies for safety. That causes problems such as the one 
reported recently: https://javafx-jira.kenai.com/browse/RT-31072 . That 
recent issue looks rather critical so I am about to change the WebView 
implementation to differentiate between secure and non-secure channels 
using the value of "javascripts" to denote a secure analog of 
"javascript". I don't think I have an option to not make that change, 
and now I am sort of wondering whether it is going to cause a total 
disaster with the plugin cookie handlers.

Thank you,
-- Vasiliy

>> This question is somewhat related to
>> http://bugs.sun.com/view_bug.do?bug_id=7077220 ,
>> http://bugs.sun.com/view_bug.do?bug_id=7038890 , and
>> http://bugs.sun.com/view_bug.do?bug_id=7048628 .
>>
>> Thank you,
>> -- Vasiliy

More information about the net-dev mailing list