JDK-7048628 : Mechanism to access cookies omitting HTTPOnly cookies needed
  • Type: Enhancement
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 6u24
  • Priority: P4
  • Status: Closed
  • Resolution: Incomplete
  • OS: generic
  • CPU: generic
  • Submitted: 2011-05-26
  • Updated: 2011-05-30
  • Resolved: 2011-05-30
Related Reports
Relates :  
JDK-7038890 - CookieHandler.getDefault().get() with "javascript:" URI hangs or otherwise works incorrectly
Description
RFC 6265 defines HTTPOnly cookies as follows:

   "The HttpOnly attribute limits the scope of the cookie to HTTP
   requests.  In particular, the attribute instructs the user agent to
   omit the cookie when providing access to cookies via "non-HTTP" APIs
   (such as a web browser API that exposes cookies to scripts)."

However, the current java.net.CookieHandler interface does not seem to be designed for use by such "non-HTTP" APIs, in that it does not provide a clear mechanism to omit HTTPOnly cookies when accessing cookies via CookieHandler.get() and .set().

This is becaming a problem for the JavaFX WebView control, which effectively acts as a web browser and thus needs to be able to omit HTTPOnly cookies when passing cookies to and from the scripts running inside web pages.
Comments
PUBLIC COMMENTS In JDK7 we added methods to java.net.HttpCookie to determine/set if a cookie is HTTPOnly, isHttpOnly() and setHttpOnly(boolean). In java.net.CookieHandler.get() the following was added: "The URI passed as an argument specifies the intended use for the cookies. In particular the scheme should reflect whether the cookies will be sent over http, https or used in another context like javascript. The host part should reflect either the destination of the cookies or their origin in the case of javascript. It is up to the implementation to take into account the URI and the cookies attributes and security settings to determine which ones should be returned." Is this what the submitter is requesting, or have I missed the actual point behind this request?
30-05-2011
PUBLIC COMMENTS > In JDK7 we added methods to java.net.HttpCookie to determine/set if a cookie is HTTPOnly, isHttpOnly() and setHttpOnly(boolean). This is probably irrelevant, as CookieHandler.get()/put() deal with Map<String,List<String>>s rather than java.net.HttpCookie. > In java.net.CookieHandler.get() the following was added: This is almost exactly what I was asking for. By "almost" I mean I would prefer a more explicit indication that HTTPOnly cookies should be omitted, but the added mechanism should suit our needs too, provided it is universally supported by the CookieHandler implementations. For what it is worth, we've been calling CookieHandler.get()/put() with "javascript://..." URIs for a while to achieve the desired effect, but eventually hit bug # 7038890 in the applet mode, and thus had to stop doing so for now. Anyway, this issue should probably be marked as a duplicate of the issue under which java.net.CookieHandler.get() was extended to allow distinguishing between HTTP and non-HTTP uses.
30-05-2011