From 1a471513de808c9d34646e6db925b609411576a5 Mon Sep 17 00:00:00 2001
From: Akinori MUSHA <knu@idaemons.org>
Date: Wed, 17 Oct 2012 22:28:57 +0900
Subject: [PATCH] Disallow changing the origin of a cookie once it is set.

---
 lib/http/cookie.rb       | 2 ++
 test/test_http_cookie.rb | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/lib/http/cookie.rb b/lib/http/cookie.rb
index b0c6a97..595c7d6 100644
--- a/lib/http/cookie.rb
+++ b/lib/http/cookie.rb
@@ -220,6 +220,8 @@ class HTTP::Cookie
   end
 
   def origin=(origin)
+    @origin.nil? or
+      raise ArgumentError, "origin cannot be changed once it is set"
     origin = URI(origin)
     acceptable_from_uri?(origin) or
       raise ArgumentError, "unacceptable cookie sent from URI #{origin}"
diff --git a/test/test_http_cookie.rb b/test/test_http_cookie.rb
index cbe8a11..94d412d 100644
--- a/test/test_http_cookie.rb
+++ b/test/test_http_cookie.rb
@@ -505,6 +505,9 @@ class TestHTTPCookie < Test::Unit::TestCase
     assert_equal '/', cookie.path
     assert_equal 'example.com', cookie.domain
     assert_equal true, cookie.for_domain
+    assert_raises(ArgumentError) {
+      cookie.origin = URI.parse('http://www.example.com/')
+    }
 
     cookie_str = 'a=b; domain=example.com'
     cookie = HTTP::Cookie.parse(cookie_str).first