Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8038997

Browsers failed to pass HttpOnly cookie to JRE

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: P4 P4
    • None
    • 7, 8
    • deploy
    • x86
    • windows_8

      FULL PRODUCT VERSION :
      JRE:Version 8 Update 20 build 1.8.0_20-ea-b05
      JRE:Version 8 build 1.8.0-b132

      ADDITIONAL OS VERSION INFORMATION :
      Test case1:
      OS:Windows8.1 Enterprise
      Browser: Firefox28
      JRE:Version 8 build 1.8.0-b132

      Test case2:
      OS:10.8.5
      Browser:firefox28
      JRE:Version 8 Update 20 build 1.8.0_20-ea-b05

      The same problem occurs for some other JRE1.7.x with browsers combinations too.

      A DESCRIPTION OF THE PROBLEM :
      JRE jar/Class downloading code doesn't send HttpOnly cookie to the webserver which is used to host JAR files.

      You can follow these steps to reproduce the problem:
      1.
      Access http://www.coderforlife.com/test/http-only-cookie/
      Browser will get a HttpOnly cookie called "httOnly" and a normal cookie called "normal" when you view the cookies using firebug or httpwatch.
      2.
      After the Java Applet got lauched, look at the Java console windows,
      you can only see the normal cookie is there like the following.

      network: Cache entry not found [url: http://www.coderforlife.com/test/http-only-cookie/CookieTest.class, version: null]
      network: Connecting http://www.coderforlife.com/test/http-only-cookie/CookieTest.class with cookie "normal=xxx"
      network: Downloading resource: http://www.coderforlife.com/test/http-only-cookie/CookieTest.class


      3.
      I can reproduce the problem in the following two test cases.
      The same problem occurs for some other JRE1.7.x with browsers combinations too.

      Test case1:
      OS:Windows8.1 Enterprise
      Browser: Firefox28
      JRE:Version 8 build 1.8.0-b132

      Test case2:
      OS:10.8.5
      Browser:firefox28
      JRE:Version 8 Update 20 build 1.8.0_20-ea-b05



      ADDITIONAL REGRESSION INFORMATION:
      JRE:Version 8 Update 20 build 1.8.0_20-ea-b05
      JRE:Version 8 build 1.8.0-b132


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      You can follow these steps to reproduce the problem:
      1.
      Access http://www.coderforlife.com/test/http-only-cookie/
      Browser will get a HttpOnly cookie called "httOnly" and a normal cookie called "normal" when you view the cookies using firebug or httpwatch.
      2.
      After the Java Applet got lauched, look at the Java console windows,
      you can only see the normal cookie is there like the following.

      network: Cache entry not found [url: http://www.coderforlife.com/test/http-only-cookie/CookieTest.class, version: null]
      network: Connecting http://www.coderforlife.com/test/http-only-cookie/CookieTest.class with cookie "normal=xxx"
      network: Downloading resource: http://www.coderforlife.com/test/http-only-cookie/CookieTest.class


      3.
      I can reproduce the problem in the following two test cases.
      The same problem occurs for some other JRE1.7.x with browsers combinations too.

      Test case1:
      OS:Windows8.1 Enterprise
      Browser: Firefox28
      JRE:Version 8 build 1.8.0-b132

      Test case2:
      OS:10.8.5
      Browser:firefox28
      JRE:Version 8 Update 20 build 1.8.0_20-ea-b05



      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      I expect that JRE sends both normal cookie and httponly cookie when JRE try to download Jar/Class.
      ACTUAL -
      JRE only sends the normal cookie in its JAR/class downloading request.

      REPRODUCIBILITY :
      This bug can be reproduced always.

            dtitov Daniil Titov (Inactive)
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: