P3
FULL PRODUCT VERSION :
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Debian 6.0.7, kernel 2.6.32.5-amd64
EXTRA RELEVANT SYSTEM CONFIGURATION :
Firefox 24 (amd64)
A DESCRIPTION OF THE PROBLEM :
If the same applet is called from different websites, the manifest attribute Caller-Allowable-Codebase is checked during the first access from JS, making possible to call the applet from JS of website, that is not on Caller-Allowable-Codebase list.
ADDITIONAL REGRESSION INFORMATION:
Since the attribute Caller-Allowable-Codebase was introduced in 7u45, observerd behavior does not apply to any previous version.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
(1) Add "Caller-Allowable-Codebase: https://server.domain/" to applet manifest and sign it.
(2) Embed the applet in HTML page with absolute codebase (f.e. https://server.domain/applets/test.jar) and include JS talking to the applet.
(3) Open Firefox with registered plugin from 7u45.
(4) Go to page created in step 2 (f.e. https://server.domain/testapplet.html).
(5) JS calls the applet successfully.
(6) Open new tab.
(7) Go to page using unqualified hostname in URL (f.e. https://server/testapplet.html).
(8) JS calls the applet successfully, although the site (https://server/) is not on Caller-Allowable-Codebase list.
If you skip steps 4-6, JS cannot call the applet.
Furthermore, if you reverse the order of pages (first open https://server/... and then https://server.domain/...), JS from neither page can call the applet.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
In step 8 the call from JS to applet should fail.
ACTUAL -
See steps to reproduce.
REPRODUCIBILITY :
This bug can be reproduced always.
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Debian 6.0.7, kernel 2.6.32.5-amd64
EXTRA RELEVANT SYSTEM CONFIGURATION :
Firefox 24 (amd64)
A DESCRIPTION OF THE PROBLEM :
If the same applet is called from different websites, the manifest attribute Caller-Allowable-Codebase is checked during the first access from JS, making possible to call the applet from JS of website, that is not on Caller-Allowable-Codebase list.
ADDITIONAL REGRESSION INFORMATION:
Since the attribute Caller-Allowable-Codebase was introduced in 7u45, observerd behavior does not apply to any previous version.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
(1) Add "Caller-Allowable-Codebase: https://server.domain/" to applet manifest and sign it.
(2) Embed the applet in HTML page with absolute codebase (f.e. https://server.domain/applets/test.jar) and include JS talking to the applet.
(3) Open Firefox with registered plugin from 7u45.
(4) Go to page created in step 2 (f.e. https://server.domain/testapplet.html).
(5) JS calls the applet successfully.
(6) Open new tab.
(7) Go to page using unqualified hostname in URL (f.e. https://server/testapplet.html).
(8) JS calls the applet successfully, although the site (https://server/) is not on Caller-Allowable-Codebase list.
If you skip steps 4-6, JS cannot call the applet.
Furthermore, if you reverse the order of pages (first open https://server/... and then https://server.domain/...), JS from neither page can call the applet.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
In step 8 the call from JS to applet should fail.
ACTUAL -
See steps to reproduce.
REPRODUCIBILITY :
This bug can be reproduced always.