commit 6e421a2b51e756021253f96b169612569fa58f4d
author Ivan Furnadjiev <ivan@eclipsesource.com> Mon Jul 13 11:25:24 2020 +0300
committer Ivan Furnadjiev <ivan@eclipsesource.com> Mon Jul 13 11:25:24 2020 +0300
tree 8d839e87cf9286e21214e4ec0aefad4e456acd80
parent ea7f734665257b658a83bf255ed1e33761f0d4e0

Set HttpOnly flag for settingStore cookie

The HttpOnly attribute (see RFC 6265) prevents reading the value of a
cookie from the DOM API.

Bug 408656: HttpOnly flag for settingStore cookie
https://bugs.eclipse.org/bugs/show_bug.cgi?id=408656

Change-Id: Idd824f954e16873f7a35cf2338055b08dc3bc786

bundles/org.eclipse.rap.rwt/src/org/eclipse/rap/rwt/internal/service/SettingStoreManager.java

diff --git a/bundles/org.eclipse.rap.rwt/src/org/eclipse/rap/rwt/internal/service/SettingStoreManager.java b/bundles/org.eclipse.rap.rwt/src/org/eclipse/rap/rwt/internal/service/SettingStoreManager.java
index 72d41d2..753d9d4 100644
--- a/bundles/org.eclipse.rap.rwt/src/org/eclipse/rap/rwt/internal/service/SettingStoreManager.java
+++ b/bundles/org.eclipse.rap.rwt/src/org/eclipse/rap/rwt/internal/service/SettingStoreManager.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2002, 2015 Innoopract Informationssysteme GmbH and others.
+ * Copyright (c) 2002, 2020 Innoopract Informationssysteme GmbH and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -73,6 +73,7 @@
       Cookie cookie = new Cookie( COOKIE_NAME, result );
       cookie.setSecure( ContextProvider.getRequest().isSecure() );
       cookie.setMaxAge( COOKIE_MAX_AGE_SEC );
+      cookie.setHttpOnly( true );
       ContextProvider.getResponse().addCookie( cookie );
       // (2+3) update storeId stored in session
       // Note: This attribute must be checked for validity to prevent attacks

tests/org.eclipse.rap.rwt.test/src/org/eclipse/rap/rwt/internal/service/SettingStoreManager_Test.java

diff --git a/tests/org.eclipse.rap.rwt.test/src/org/eclipse/rap/rwt/internal/service/SettingStoreManager_Test.java b/tests/org.eclipse.rap.rwt.test/src/org/eclipse/rap/rwt/internal/service/SettingStoreManager_Test.java
index 68ade81..415d21e 100644
--- a/tests/org.eclipse.rap.rwt.test/src/org/eclipse/rap/rwt/internal/service/SettingStoreManager_Test.java
+++ b/tests/org.eclipse.rap.rwt.test/src/org/eclipse/rap/rwt/internal/service/SettingStoreManager_Test.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2002, 2014 Innoopract Informationssysteme GmbH and others.
+ * Copyright (c) 2002, 2020 Innoopract Informationssysteme GmbH and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -106,6 +106,7 @@
     Cookie cookie = response.getCookie( "settingStore" );
     assertTrue( cookie.getMaxAge() > 0 );
     assertTrue( Pattern.matches( "[0-9]*_[0-9]*", cookie.getValue() ) );
+    assertTrue( cookie.isHttpOnly() );
   }
 
   @Test