Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bc22d863 authored by Nate Fischer's avatar Nate Fischer
Browse files

WebView: deprecate 'Secure' cookies for insecure schemes 

No change to logic, only docs. This announces 'Secure' cookies are
deprecated for insecure URL schemes (only "https://" is considered
secure). This doesn't mention target SDK, because apps should follow
this guidance for all WebView versions, target SDKs, and OS levels.

Bug: 149589092
Test: m offline-sdk-docs -j4
Change-Id: I07c2b5341588d354f7f8219ce71a3d2ca04bc982
parent 6bb457b3

core/java/android/webkit/CookieManager.java

+6 −0
Original line number Diff line number Diff line
@@ -102,6 +102,9 @@ public abstract class CookieManager { 
     * path and name will be replaced with the new cookie. The cookie being set

     * will be ignored if it is expired.

     *

     * <p class="note"><b>Note:</b> if specifying a {@code value} containing the {@code "Secure"}

     * attribute, {@code url} must use the {@code "https://"} scheme.

     *

     * @param url the URL for which the cookie is to be set

     * @param value the cookie as a string, using the format of the 'Set-Cookie'

     *              HTTP response header
@@ -122,6 +125,9 @@ public abstract class CookieManager { 
     * completes or whether it succeeded, and in this case it is safe to call the method from a

     * thread without a Looper.

     *

     * <p class="note"><b>Note:</b> if specifying a {@code value} containing the {@code "Secure"}

     * attribute, {@code url} must use the {@code "https://"} scheme.

     *

     * @param url the URL for which the cookie is to be set

     * @param value the cookie as a string, using the format of the 'Set-Cookie'

     *              HTTP response header