treat localhost as secure origin when processing cookies

HtmlUnit · Nov 19, 2022 · f0d8cd1 · f0d8cd1
1 parent 96ccf19
commit f0d8cd1
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 4 deletions.
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
@@ -7,15 +7,18 @@
     </properties>
 
     <body>
-        <release version="2.67.0" date="xxxx, 2022" description="Chrome/Edge 107, Bugfixes, Android 6">
+        <release version="2.67.0" date="xxxx, 2022" description="Chrome/Edge 107, Firefox 107, Bugfixes">
+            <action type="update" dev="rbri">
+                Treat localhost as secure origin when processing cookies.
+            </action>
             <action type="update" dev="rbri">
                 Avoid usage of interfaces from java.util.function for Android 6.
             </action>
             <action type="fix" dev="rbri">
                 Take care of the fixed position style attribute at some places.
             </action>
             <action type="fix" dev="rbri">
-                Remove some not required string operations frim the DOMTokenList code.
+                Remove some not required string operations from the DOMTokenList code.
             </action>
             <action type="fix" dev="rbri">
                 Fixing change notification for the DOMTokenList in some situations.

diff --git a/src/main/java/com/gargoylesoftware/htmlunit/httpclient/HtmlUnitBrowserCompatCookieSpec.java b/src/main/java/com/gargoylesoftware/htmlunit/httpclient/HtmlUnitBrowserCompatCookieSpec.java
@@ -39,7 +39,6 @@
 import org.apache.http.impl.cookie.BasicClientCookie;
 import org.apache.http.impl.cookie.BasicCommentHandler;
 import org.apache.http.impl.cookie.BasicMaxAgeHandler;
-import org.apache.http.impl.cookie.BasicSecureHandler;
 import org.apache.http.impl.cookie.CookieSpecBase;
 import org.apache.http.message.BasicHeader;
 import org.apache.http.message.BasicHeaderElement;
@@ -108,7 +107,7 @@ public HtmlUnitBrowserCompatCookieSpec(final BrowserVersion browserVersion) {
                 new HtmlUnitDomainHandler(browserVersion),
                 new HtmlUnitPathHandler(browserVersion),
                 new BasicMaxAgeHandler(),
-                new BasicSecureHandler(),
+                new HtmlUnitSecureHandler(),
                 new BasicCommentHandler(),
                 new HtmlUnitExpiresHandler(browserVersion),
                 new HtmlUnitHttpOnlyHandler(),

diff --git a/src/main/java/com/gargoylesoftware/htmlunit/httpclient/HtmlUnitSecureHandler.java b/src/main/java/com/gargoylesoftware/htmlunit/httpclient/HtmlUnitSecureHandler.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2002-2022 Gargoyle Software Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gargoylesoftware.htmlunit.httpclient;
+
+import org.apache.http.cookie.Cookie;
+import org.apache.http.cookie.CookieOrigin;
+import org.apache.http.impl.cookie.BasicSecureHandler;
+import org.apache.http.util.Args;
+
+/**
+ * Customized BasicSecureHandler for HtmlUnit.
+ *
+ * @author Ronald Brill
+ */
+final class HtmlUnitSecureHandler extends BasicSecureHandler {
+
+    HtmlUnitSecureHandler() {
+        super();
+    }
+
+    @Override
+    public boolean match(final Cookie cookie, final CookieOrigin origin) {
+        Args.notNull(cookie, "Cookie");
+        Args.notNull(origin, "Cookie origin");
+        return !cookie.isSecure() || origin.isSecure() || "localhost".equalsIgnoreCase(origin.getHost());
+    }
+}