JDK-8038997 : Browsers failed to pass HttpOnly cookie to JRE
  • Type: Bug
  • Component: deploy
  • Affected Version: 7,8
  • Priority: P4
  • Status: Resolved
  • Resolution: Won't Fix
  • OS: windows_8
  • CPU: x86
  • Submitted: 2014-04-01
  • Updated: 2014-04-09
  • Resolved: 2014-04-09
Related Reports
Duplicate :  
JDK-7116429 - Retrieve HttpOnly cookie from Firefox/Mozilla
Duplicate :  
JDK-7196513 - Java is unable to read httponly cookies in Firefox/Chrome
Description
FULL PRODUCT VERSION :
JRE:Version 8 Update 20 build 1.8.0_20-ea-b05
JRE:Version 8 build 1.8.0-b132

ADDITIONAL OS VERSION INFORMATION :
Test case1:
OS:Windows8.1 Enterprise
Browser: Firefox28
JRE:Version 8 build 1.8.0-b132

Test case2:
OS:10.8.5
Browser:firefox28
JRE:Version 8 Update 20 build 1.8.0_20-ea-b05

The same problem occurs for some other JRE1.7.x with browsers combinations too.

A DESCRIPTION OF THE PROBLEM :
JRE jar/Class downloading code doesn't send HttpOnly cookie to the webserver which is used to host JAR files.

You can follow these steps to reproduce the problem:
1. 
Access http://www.coderforlife.com/test/http-only-cookie/
Browser will get a HttpOnly cookie called "httOnly" and a normal cookie called "normal" when you view the cookies using firebug or httpwatch.
2. 
After the Java Applet got lauched, look at the Java console windows, 
you can only see the normal cookie is there like the following.

network: Cache entry not found [url: http://www.coderforlife.com/test/http-only-cookie/CookieTest.class, version: null]
network: Connecting http://www.coderforlife.com/test/http-only-cookie/CookieTest.class with cookie "normal=xxx"
network: Downloading resource: http://www.coderforlife.com/test/http-only-cookie/CookieTest.class


3. 
I can reproduce the problem in the following two test cases.
The same problem occurs for some other JRE1.7.x with browsers combinations too.

Test case1:
OS:Windows8.1 Enterprise
Browser: Firefox28
JRE:Version 8 build 1.8.0-b132

Test case2:
OS:10.8.5
Browser:firefox28
JRE:Version 8 Update 20 build 1.8.0_20-ea-b05



ADDITIONAL REGRESSION INFORMATION: 
JRE:Version 8 Update 20 build 1.8.0_20-ea-b05
JRE:Version 8 build 1.8.0-b132


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
You can follow these steps to reproduce the problem:
1. 
Access http://www.coderforlife.com/test/http-only-cookie/
Browser will get a HttpOnly cookie called "httOnly" and a normal cookie called "normal" when you view the cookies using firebug or httpwatch.
2. 
After the Java Applet got lauched, look at the Java console windows, 
you can only see the normal cookie is there like the following.

network: Cache entry not found [url: http://www.coderforlife.com/test/http-only-cookie/CookieTest.class, version: null]
network: Connecting http://www.coderforlife.com/test/http-only-cookie/CookieTest.class with cookie "normal=xxx"
network: Downloading resource: http://www.coderforlife.com/test/http-only-cookie/CookieTest.class


3. 
I can reproduce the problem in the following two test cases.
The same problem occurs for some other JRE1.7.x with browsers combinations too.

Test case1:
OS:Windows8.1 Enterprise
Browser: Firefox28
JRE:Version 8 build 1.8.0-b132

Test case2:
OS:10.8.5
Browser:firefox28
JRE:Version 8 Update 20 build 1.8.0_20-ea-b05



EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I expect that JRE sends both normal cookie and httponly cookie when JRE try to download Jar/Class.
ACTUAL -
JRE only sends the normal cookie in its JAR/class downloading request.

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
This issue is for Firefox and it is not technically possible due NPAPI limitation. For IE it works.
09-04-2014
1. Support for HTTPOnly cookies doesn't exist in NPAPI. See NPAPI change proposal https://wiki.mozilla.org/NPAPI:HttpOnlyCookies and comments at http://bugs.sun.com/view_bug.do?bug_id=7116429 2. Support for HTTPOnly cookies for IE was explicitly added per request https://bugs.openjdk.java.net/browse/JDK-7077220 and then improved in https://bugs.openjdk.java.net/browse/JDK-7196513 3. Support for HTTPOnly cookies for Chrome/Firefox JDK-7116429 was not implemented due to mentioned above limitations of current NPAPI spec.
09-04-2014