Merge remote-tracking branch 'origin/jetty-9.4.x' into jetty-10.0.x

jetty-server/src/main/java/org/eclipse/jetty/server/Response.java

@@ -229,6 +229,9 @@ public class Response implements HttpServletResponse
 
     @Override
     public void addCookie(Cookie cookie)
+    {
+        //Servlet Spec 9.3 Include method: cannot set a cookie if handling an include
+        if (isMutable())
         {
             if (StringUtil.isBlank(cookie.getName()))
                 throw new IllegalArgumentException("Cookie.name cannot be blank/null");
@@ -251,6 +254,7 @@ public class Response implements HttpServletResponse
                 cookie.getVersion(),
                 sameSite));
         }
+    }
 
     /**
      * Replace (or add) a cookie.
@@ -302,7 +306,6 @@ public class Response implements HttpServletResponse
         addCookie(cookie);
     }
 
-    @Override
     public boolean containsHeader(String name)
     {
         return _fields.contains(name);

jetty-server/src/test/java/org/eclipse/jetty/server/ResponseTest.java

@@ -1094,6 +1094,23 @@ public class ResponseTest
         assertEquals("name=value; Path=/path; Domain=domain; Secure; HttpOnly", set);
     }
     
+    @Test
+    public void testAddCookieInInclude() throws Exception
+    {
+        Response response = getResponse();
+        response.include();
+
+        Cookie cookie = new Cookie("naughty", "value");
+        cookie.setDomain("domain");
+        cookie.setPath("/path");
+        cookie.setSecure(true);
+        cookie.setComment("comment__HTTP_ONLY__");
+
+        response.addCookie(cookie);
+
+        assertNull(response.getHttpFields().get("Set-Cookie"));
+    }
+    
     @Test
     public void testAddCookieSameSiteDefault() throws Exception
     {