YARN-8868. Set HTTPOnly attribute to Cookie. Contributed by Chandni Singh.

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/Dispatcher.java

@@ -179,10 +179,10 @@ public class Dispatcher extends HttpServlet {
     String st = devMode ? ErrorPage.toStackTrace(e, 1024 * 3) // spec: min 4KB
                         : "See logs for stack trace";
     res.setStatus(res.SC_FOUND);
-    Cookie cookie = new Cookie(STATUS_COOKIE, String.valueOf(500));
+    Cookie cookie = createCookie(STATUS_COOKIE, String.valueOf(500));
     cookie.setPath(path);
     res.addCookie(cookie);
-    cookie = new Cookie(ERROR_COOKIE, st);
+    cookie = createCookie(ERROR_COOKIE, st);
     cookie.setPath(path);
     res.addCookie(cookie);
     res.setHeader("Location", path);
@@ -196,7 +196,7 @@ public class Dispatcher extends HttpServlet {
   public static void removeCookie(HttpServletResponse res, String name,
                                   String path) {
     LOG.debug("removing cookie {} on {}", name, path);
-    Cookie c = new Cookie(name, "");
+    Cookie c = createCookie(name, "");
     c.setMaxAge(0);
     c.setPath(path);
     res.addCookie(c);
@@ -249,4 +249,10 @@ public class Dispatcher extends HttpServlet {
       }
     }, 18); // enough time for the last local request to complete
   }
+
+  private static Cookie createCookie(String name, String val) {
+    Cookie cookie = new Cookie(name, val);
+    cookie.setHttpOnly(true);
+    return cookie;
+  }
 }

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java

@@ -322,6 +322,7 @@ public class WebAppProxyServlet extends HttpServlet {
   
   private static Cookie makeCheckCookie(ApplicationId id, boolean isSet) {
     Cookie c = new Cookie(getCheckCookieName(id),String.valueOf(isSet));
+    c.setHttpOnly(true);
     c.setPath(ProxyUriUtils.getPath(id));
     c.setMaxAge(60 * 60 * 2); //2 hours in seconds
     return c;