On 15/12/11 15:00, Chris Hegarty wrote:
CR 7095980: Ensure HttpURLConnection (and supporting APIs) don't
expose HttpOnly cookies
The changes use the internal/private java.net.HttpCookie parsing
implementation to filter out HttpOnly cookies from the Set-Cookie and
Set-Cookie2 headers returned in the HTTP protocol handler. With this
change I believe the HTTP protocol suitably protects HttpOnly cookies.
http://cr.openjdk.java.net/~chegar/7095980/webrev.00/webrev/
It reuses the internal java.net.HttpCookie parsing implementation
rather than trying to maintain two separate parsing implementations.
This is a little ugly since it is private and in the public java.net
namespace, but I believe a shared secret is the best approach here. We
could have moved the implementation itself into sun.net and just made
it public, but I felt it cleaner to leave it as is.
Thanks,
-Chris.
Looks good to me.
- Michael.
