Secure Cookies should only be sent over secure connections.

http://bugreports.qt.nokia.com/browse/QTBUG-9618

QtWebKit currently fails the following test:

LayoutTests/http/tests/xmlhttprequest/cookies.html

This is because QNetworkCookieJar::cookiesForUrl returns secure
cookies even when the connection is not secure.

A 'secure' cookie is set by response headers from a http  server as follows:

'Set-Cookie: cookie-name=value; secure'

Correct QNetworkCookieJar::cookiesForUrl to ignore secure cookies when the
url in the request is not 'https:'.

Task-number: QTBUG-9618
Merge-request: 2372
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>

1 files changed, 3 insertions, 0 deletions

diff --git a/src/network/access/qnetworkcookiejar.cpp b/src/network/access/qnetworkcookiejar.cpp
index 8727095..0b3a918 100644
--- a/src/network/access/qnetworkcookiejar.cpp
+++ b/src/network/access/qnetworkcookiejar.cpp
@@ -269,6 +269,7 @@ QList<QNetworkCookie> QNetworkCookieJar::cookiesForUrl(const QUrl &url) const
     Q_D(const QNetworkCookieJar);
     QDateTime now = QDateTime::currentDateTime();
     QList<QNetworkCookie> result;
+    bool isEncrypted = url.scheme().toLower() == QLatin1String("https");
 
     // scan our cookies for something that matches
     QList<QNetworkCookie>::ConstIterator it = d->allCookies.constBegin(),
@@ -280,6 +281,8 @@ QList<QNetworkCookie> QNetworkCookieJar::cookiesForUrl(const QUrl &url) const
             continue;
         if (!(*it).isSessionCookie() && (*it).expirationDate() < now)
             continue;
+        if ((*it).isSecure() && !isEncrypted)
+            continue;
 
         // insert this cookie into result, sorted by path
         QList<QNetworkCookie>::Iterator insertIt = result.begin();