JDK-6873543 : CookieManager doesn't enforce httpOnly
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 7
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2009-08-19
  • Updated: 2017-05-16
  • Resolved: 2009-11-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7 b77Fixed
Related Reports
Relates :  
Description
java.net.CookieManager, the default CookieHandler, doesn't enforce the httpOnly tag.
Cookies that are tagged with "httpOnly" should only be returned when the intended use if transmission over http or https. I.E. when the scheme of the URI passed in get() is http or https.

Comments
EVALUATION Yes. Already fixed in JDK 6 with 6865629. Will fix in JDK 7 as soon as possible.
19-08-2009