Networking team,
Any comments on backporting this change to OpenJDK 6? My inclination is
to approve the backport, but I want your input on the issue.
-Joe
On 2/8/2011 1:19 AM, Florian Weimer wrote:
This change:
# User jccollet
# Date 1208423133 -7200
# Node ID d44e3bf49ffbcbc5c6ce9a8fa4113153f8368a60
# Parent a954a6f3be6fa69014f00488f52b2da12e6634bf
6644726: Cookie management issues
Summary: Many changes to accomodate RFC 2965 and old Netscape specs
Reviewed-by: chegar
diff -r a954a6f3be6f -r d44e3bf49ffb
src/share/classes/java/net/CookieManager.java
--- a/src/share/classes/java/net/CookieManager.java Wed Apr 16 14:17:54
2008 +0100
+++ b/src/share/classes/java/net/CookieManager.java Thu Apr 17 11:05:33
2008 +0200
@@ -205,11 +205,31 @@
if (cookieJar == null)
return Collections.unmodifiableMap(cookieMap);
+ boolean secureLink = "https".equalsIgnoreCase(uri.getScheme());
List<HttpCookie> cookies = new java.util.ArrayList<HttpCookie>();
+ String path = uri.getPath();
+ if (path == null || path.isEmpty()) {
+ path = "/";
+ }
for (HttpCookie cookie : cookieJar.get(uri)) {
// apply path-matches rule (RFC 2965 sec. 3.3.4)
- if (pathMatches(uri.getPath(), cookie.getPath())) {
- cookies.add(cookie);
+ // and check for the possible "secure" tag (i.e. don't send
+ // 'secure' cookies over unsecure links)
+ if (pathMatches(path, cookie.getPath())&&
+ (secureLink || !cookie.getSecure())) {
[...]
is arguably a security fix (sending HTTPS-only cookies over HTTP is a
problem). The whole patch seems to be quite important for
interoperability. (Further changes from JDK 7 and maybe even new
development may be required to get cookie support working; I will
check that if backporting such changes is fine in principle.)
