Enforce httponly on cookies coming from the renderer. This prevents javascript from setting a new httponly cookie, and more importantly from overwriting httponly cookies.

Patch from Marius Schilder.
Review URL: http://codereview.chromium.org/11275

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@5700 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 8 insertions, 3 deletions

diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index 69f7bb5..eac02e1 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -414,7 +414,11 @@ void URLRequestHttpJob::NotifyHeadersComplete() {
         ctx->cookie_policy()->CanSetCookie(request_->url(),
                                            request_->policy_url())) {
       FetchResponseCookies();
-      ctx->cookie_store()->SetCookies(request_->url(), response_cookies_);
+      net::CookieMonster::CookieOptions options;
+      options.set_include_httponly();
+      ctx->cookie_store()->SetCookiesWithOptions(request_->url(),
+                                                 response_cookies_,
+                                                 options);
     }
   }
 
@@ -517,9 +521,10 @@ void URLRequestHttpJob::AddExtraHeaders() {
     if (context->cookie_store() &&
         context->cookie_policy()->CanGetCookies(request_->url(),
                                                request_->policy_url())) {
+      net::CookieMonster::CookieOptions options;
+      options.set_include_httponly();
       std::string cookies = request_->context()->cookie_store()->
-          GetCookiesWithOptions(request_->url(),
-                                net::CookieMonster::INCLUDE_HTTPONLY);
+          GetCookiesWithOptions(request_->url(), options);
       if (!cookies.empty())
         request_info_.extra_headers += "Cookie: " + cookies + "\r\n";
     }