You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Karl Wright (JIRA)" <ji...@apache.org> on 2012/11/21 14:45:57 UTC
[jira] [Created] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Karl Wright created HTTPCLIENT-1264:
---------------------------------------
Summary: Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Key: HTTPCLIENT-1264
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
Project: HttpComponents HttpClient
Issue Type: Improvement
Components: HttpClient
Affects Versions: 4.2.2
Reporter: Karl Wright
The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502721#comment-13502721 ]
Karl Wright commented on HTTPCLIENT-1264:
-----------------------------------------
Hi Oleg,
First of all, for ManifoldCF, we have a workaround so what you choose to do is immaterial to us. However, I would point out that you have pretty strong evidence at this point that the BROWSER_COMPATIBILITY policy is not correct, at least for one OS, and in our case for Windows (if that is not what Sebb tried) and for two different browsers that operate on each OS. I would agree with Sebb that keeping backwards compatibility would be a good idea, so creating a new cookie policy (as this ticket proposes) would be the correct way to do this, in my opinion. It sounds to me like what is unknown at this point is the following:
- the scope of what browsers/settings/OS's the policy would apply to (more than zero, though, clearly)
- what it is to be called
As time permits I would imagine those questions could be further answered; while I am not in a position to do extensive work right now I may have the opportunity within a week or two, and broaden the research to Linux versions of Firefox, at least. Does this change your thinking at all?
Karl
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502064#comment-13502064 ]
Oleg Kalnichevski commented on HTTPCLIENT-1264:
-----------------------------------------------
Karl
As far as I understand it should take no more than a few lines of code to override the default behavior of the browser compatibility spec by using a custom attribute handler. However, I would like to be sure this is what common browsers do with regards to cookie patch attribute validation. In this case I would rather change the browser compatibility CookieSpec implementation instead of adding a new policy to the stock version of HttpClient.
Oleg
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502292#comment-13502292 ]
Sebb commented on HTTPCLIENT-1264:
----------------------------------
Just run some tests, and AFAICT Firefox, Chrome and Opera all retain cookies with a path that does not match the originating host path (and then serve them to the relevant path).
As far as I am aware I have not specifically permitted this.
For default behaviour this is not ideal!
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Updated] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski updated HTTPCLIENT-1264:
------------------------------------------
Fix Version/s: 4.3 Final
Karl
The trouble is that an additional policy would need to be properly documented and maintained afterwards.
I am desperately trying to reduce the footprint of the public APIs and the set of configuration options supported out the box, because it is enormously difficult to maintain such a significant code base with so few people working on the project in their fee time. I would be very strongly in favor of doing a proper analysis and amending the default implementation. Besides, next feature release would be a good moment for tweaking the behavior of compatibility cookie spec given the scope of changed planned for 4.3.
I am having my hands full with 4.3 development and have no bandwidth left for this issue. However, I'll happily contribute in terms of code reviews, patching and so on.
Oleg
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
> Fix For: 4.3 Final
>
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502303#comment-13502303 ]
Oleg Kalnichevski commented on HTTPCLIENT-1264:
-----------------------------------------------
Hi Sebastian
Just to clarify, would you be in favour of changing the current behavior of the browser compatibility policy which disallows such cookies or not?
Oleg
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502143#comment-13502143 ]
Karl Wright commented on HTTPCLIENT-1264:
-----------------------------------------
As far as packet captures, that would have required me to keep around the login credentials for that site, which I didn't. And, of course, the site might have changed since then. I will see if I can find it... but a better approach might be to simply construct a servlet under Tomcat that does something similar and see how it behaves.
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502314#comment-13502314 ]
Sebb commented on HTTPCLIENT-1264:
----------------------------------
I've only done a brief test on a single OS, so ideally I'd want confirmation that it's not just my browsers that behave that way.
But I would certainly not veto such a change, so long as it is well documented.
In case the change causes problems, users must be able restore the original behaviour without too much difficulty.
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502163#comment-13502163 ]
Karl Wright commented on HTTPCLIENT-1264:
-----------------------------------------
The policy override looks good - thanks!
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502144#comment-13502144 ]
Oleg Kalnichevski commented on HTTPCLIENT-1264:
-----------------------------------------------
---
DefaultHttpClient client = new DefaultHttpClient();
client.getCookieSpecs().register(CookiePolicy.BROWSER_COMPATIBILITY, new CookieSpecFactory() {
public CookieSpec newInstance(HttpParams params) {
return new LaxBrowserCompatSpec();
}
});
---
Oleg
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502646#comment-13502646 ]
Oleg Kalnichevski commented on HTTPCLIENT-1264:
-----------------------------------------------
Karl et al,
If anyone is prepared to invest some time into a more systematic investigation of how common browsers behave with regards to cookie path attribute validation I would be more than happy to apply changes to the browser compatibility spec in HttpClient based on the results of such analysis. Otherwise I'll close the issue as resolved given it is quite trivial to override the default behavior if required.
Oleg
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502120#comment-13502120 ]
Karl Wright commented on HTTPCLIENT-1264:
-----------------------------------------
Hi Oleg - one more thing -
If you decide not to change the policy, I'd love to have a little guidance as to how I can just override the path attribute handler, and leave everything else the same, with a stock version of 4.2.2.
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502139#comment-13502139 ]
Karl Wright commented on HTTPCLIENT-1264:
-----------------------------------------
How do I register LaxBrowserCompatSpec? Where does this occur now?
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502115#comment-13502115 ]
Karl Wright commented on HTTPCLIENT-1264:
-----------------------------------------
Hi Oleg,
As you are no doubt aware, browsers have a number of security settings. The site where we encountered this construct had seemingly been set up to require IE to be set to "medium" security. I verified that both IE and Firefox were able to log into this particular site, with the medium security setting, so browsers clearly ignore this particular check under those conditions.
The ticket CONNECTORS-97 has full details as to the site and what my analysis discovered.
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1264) Need
CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502137#comment-13502137 ]
Oleg Kalnichevski commented on HTTPCLIENT-1264:
-----------------------------------------------
The original report contains a statement 'And yet, FireFox and IE have no trouble with these.' which I find a bit vague. I am aware of different security modes in IE but could not find anything similar in FF of a recent version. There ideally I would like to see HTTP packets exchanged between FF an the site to be 100% sure the default behavior of HttpClient requires changes.
Anyway, one can easily disable the check by extending the default implementation and registering the subclass in stead of the default one
---
class LaxBrowserCompatSpec extends BrowserCompatSpec {
public LaxBrowserCompatSpec() {
super();
registerAttribHandler(ClientCookie.PATH_ATTR, new BasicPathHandler() {
@Override
public void validate(
Cookie cookie, CookieOrigin origin) throws MalformedCookieException {
// oh, I am easy
}
});
}
}
---
Oleg
> Need CookiePolicy.BROWSER_COMPATIBILITY_MEDIUM_SECURITY policy
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1264
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1264
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: Karl Wright
>
> The ManifoldCF project is currently moving to HttpComponents 4.2.2 from a heavily patched commons-httpclient 3.1 version. One of the patches seems to have no particular equivalent yet in HttpComponents. Please see CONNECTORS-119 for details about what the patch did, and research into the current HttpComponents code base.
> I am happy to create a specific patch if that is desired; please let me know.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org