Copy HttpOnly flag in proxy cookie (mitre#151)

* Copy HttpOnly flag in proxy cookie
* Upgrade servlet-api to v3.0

Author: royling

CHANGES.md

@@ -1,6 +1,9 @@
 
 # Version 1.11 (unreleased)
 
+\#151: Copy `HttpOnly` flag of proxy coookie to request clients, for fixing security vulnerabilities in cookies.
+This also updates `javax.servlet-api` to `v3.0.1`.
+
 \#139: Use Java system properties for http proxy (and other settings) by default.
 This is a regression; it used to work this way in 1.8 and prior.
 Thanks Thorsten Möller.

pom.xml

@@ -61,8 +61,8 @@
     <!-- FYI tomcat 5.5 & beyond -->
     <dependency>
       <groupId>javax.servlet</groupId>
-      <artifactId>servlet-api</artifactId>
-      <version>2.4</version>
+      <artifactId>javax.servlet-api</artifactId>
+      <version>3.0.1</version>
       <scope>provided</scope>
     </dependency>
 

src/main/java/org/mitre/dsmiley/httpproxy/ProxyServlet.java

@@ -505,6 +505,7 @@ protected void copyProxyCookie(HttpServletRequest servletRequest,
       // don't set cookie domain
       servletCookie.setSecure(cookie.getSecure());
       servletCookie.setVersion(cookie.getVersion());
+      servletCookie.setHttpOnly(cookie.isHttpOnly());
       servletResponse.addCookie(servletCookie);
     }
   }