Secure Cookies should only be sent over secure connections.

http://bugreports.qt.nokia.com/browse/QTBUG-9618

QtWebKit currently fails the following test:

LayoutTests/http/tests/xmlhttprequest/cookies.html

This is because QNetworkCookieJar::cookiesForUrl returns secure
cookies even when the connection is not secure.

A 'secure' cookie is set by response headers from a http  server as follows:

'Set-Cookie: cookie-name=value; secure'

Correct QNetworkCookieJar::cookiesForUrl to ignore secure cookies when the
url in the request is not 'https:'.

Task-number: QTBUG-9618
Merge-request: 2372
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
(cherry picked from commit 483fdd017d9998c6d7f4a035ca615e15fbc97e6a)

2 files changed, 15 insertions, 0 deletions

diff --git a/src/network/access/qnetworkcookiejar.cpp b/src/network/access/qnetworkcookiejar.cpp
index 664557cd13..5d68c4719f 100644
--- a/src/network/access/qnetworkcookiejar.cpp
+++ b/src/network/access/qnetworkcookiejar.cpp
@@ -269,6 +269,7 @@ QList<QNetworkCookie> QNetworkCookieJar::cookiesForUrl(const QUrl &url) const
     Q_D(const QNetworkCookieJar);
     QDateTime now = QDateTime::currentDateTime();
     QList<QNetworkCookie> result;
+    bool isEncrypted = url.scheme().toLower() == QLatin1String("https");
 
     // scan our cookies for something that matches
     QList<QNetworkCookie>::ConstIterator it = d->allCookies.constBegin(),
@@ -280,6 +281,8 @@ QList<QNetworkCookie> QNetworkCookieJar::cookiesForUrl(const QUrl &url) const
             continue;
         if (!(*it).isSessionCookie() && (*it).expirationDate() < now)
             continue;
+        if ((*it).isSecure() && !isEncrypted)
+            continue;
 
         // insert this cookie into result, sorted by path
         QList<QNetworkCookie>::Iterator insertIt = result.begin();
diff --git a/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp b/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp
index 9751fe9887..889defe199 100644
--- a/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp
+++ b/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp
@@ -304,6 +304,18 @@ void tst_QNetworkCookieJar::cookiesForUrl_data()
     QTest::newRow("path-match-2") << allCookies << "http://nokia.com/web/" << result;
     QTest::newRow("path-match-3") << allCookies << "http://nokia.com/web/content" << result;
 
+    // secure cookies
+    allCookies.clear();
+    result.clear();
+    QNetworkCookie secureCookie;
+    secureCookie.setName("a");
+    secureCookie.setPath("/web");
+    secureCookie.setDomain(".nokia.com");
+    secureCookie.setSecure(true);
+    allCookies += secureCookie;
+    QTest::newRow("no-match-secure-1") << allCookies << "http://nokia.com/web" << result;
+    QTest::newRow("no-match-secure-2") << allCookies << "http://qt.nokia.com/web" << result;
+
 }
 
 void tst_QNetworkCookieJar::cookiesForUrl()