On 14.06.2013 19:32, Chris Hegarty wrote:
Hi Vasiliy,
On 14/06/2013 09:48, Vasiliy Baranov wrote:
Greetings,
Suppose I need to call java.net.CookieHandler.get(URI uri,
Map<String,List<String>> requestHeaders) and need to filter out
'HttpOnly' cookies from the result. My understanding is in that case I
should call CookieHandler.get with a URI starting with "javascript://"
or any other non-HTTP scheme.
Yes, that will certainly work, but I admit it is a little odd.
Now what if I need to exclude 'HttpOnly' cookies but include 'Secure'
non-'HttpOnly' cookies? Which scheme should I use in the URI in that
case? "javascripts"?
'javascripts' will not work. Currently only 'https' is supported for
'Secure' cookie.
Hi Chris,
Thank you for clarifying these.
By will not work you mean it will not work with stock CookieHandler
implementations such as java.net.CookieManager and plugin cookie handlers?
At this point I am mostly interested in knowing how your team thinks it
should work in the ideal world, that is, from the specification point of
view.
The use case I have is JavaFX WebView's implementation for the
'document.cookie' object which needs to return secure cookies if the web
page has been obtained via a secure channel but filter out secure
cookies otherwise (obviously, HttpOnly cookies must be filtered out in
either case).
FWIW, WebView has its own CookieHandler implementation that gets
installed automatically as the default CookieHandler if there is no
default CookieHandler installed yet. In the current WebView
implementation, "javascript" is the only scheme that allows filtering
out HttpOnly cookies as you are describing above, so it cannot
differentiate between secure and non-secure channels and hence has to
exclude secure cookies for safety. That causes problems such as the one
reported recently: https://javafx-jira.kenai.com/browse/RT-31072 . That
recent issue looks rather critical so I am about to change the WebView
implementation to differentiate between secure and non-secure channels
using the value of "javascripts" to denote a secure analog of
"javascript". I don't think I have an option to not make that change,
and now I am sort of wondering whether it is going to cause a total
disaster with the plugin cookie handlers.
Thank you,
-- Vasiliy
This question is somewhat related to
http://bugs.sun.com/view_bug.do?bug_id=7077220 ,
http://bugs.sun.com/view_bug.do?bug_id=7038890 , and
http://bugs.sun.com/view_bug.do?bug_id=7048628 .
Thank you,
-- Vasiliy
