[JDK-7095980] Ensure HttpURLConnection (and supporting APIs) don't expose HttpOnly cookies - Java Bug System

XML

Word

Printable

Details

Type: Enhancement
Status: Closed
Priority: P2
Resolution: Fixed
Affects Version/s: 7
Fix Version/s: 8
Component/s: core-libs
Labels:
None

Subcomponent:
java.net
Resolved In Build:
b19
CPU:

generic
OS:

generic
Verification:
Verified

Backports

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-2219511	7u4	Chris Hegarty	P2	Closed	Fixed	b07

Description

Once CR 7077220 is fixed the Plugin CookieHandler may be able to retrieve HttpOnly cookies from the browsers cookie store. This CR is concerned with ensuring HttpOnly cookies are not accessible to application code ( trusted or untrusted ).

HttpOnly cookies should only be accessible to the HTTP client implementation, so that they can be used in HTTP requests, and NOT anywhere else.

Attachments

Issue Links

backported by

JDK-2219511 Ensure HttpURLConnection (and supporting APIs) don't expose HttpOnly cookies

Closed

duplicates

JDK-8014034 Certain Set-Cookie lines in headers appear as null in recent versions of 1.7.0

Resolved

relates to

JDK-7128648 HttpURLConnection.getHeaderFields should return an unmodifiable Map

Closed

JDK-8036017 Set-Cookie response header is read as empty after setting CookieManager

Closed

JDK-7077220 Plugin CookieHandler ignores HttpOnly cookies

Closed

Activity

People

Assignee:: Chris Hegarty

Reporter:: Chris Hegarty

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2011-09-28 08:28

Updated:: 2014-06-11 01:22

Resolved:: 2012-08-21 12:01

Imported:: 17/Sep/12 11:20 PM

Indexed:: 22/Aug/12 3:03 AM