-
Bug
-
Resolution: Not an Issue
-
P4
-
None
-
8u25
-
x86_64
-
linux
FULL PRODUCT VERSION :
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Fedora 19.
EXTRA RELEVANT SYSTEM CONFIGURATION :
Firefox 33.1.
A DESCRIPTION OF THE PROBLEM :
"Caller-Allowable-Codebase" cannot be set in an Applet JAR manifest in a way that allows LiveConnect (JavaScript to Java Applet) calls in HTML files loaded from a file URL (file://...).
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create a signed JAR containing an Applet class, a JNLP launch file, and a manifest with the line "Caller-Allowable-Codebase: *".
2. Create an HTML file that includes a JNLP depoy of the Applet, and JavaScript code that calls a method of that Applet.
3. Load the HTML file in Firefox 33.1 from a file URL (file:///...).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The JavaScript call to an Applet method succeeds.
ACTUAL -
The JavaScript call is blocked, and the Java console reports a LiveConnect Security Exception.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
liveconnect: Security Exception: JavaScript from file:/home/[PATH_OMITTED]/index.html attempted to access a resource it has no rights to.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
The problem manifests with:
1. Any Applet code,
2. In a signed JAR, with an embedded JNLP file, and a manifest file that includes a "Caller-Allowable-Codebase: *" line and (correctly) no "Trusted-Library" line,
3. Deployed in an HTML file using JNLP JavaScript to create the applet tag, and
4. Loaded at a file URL (file:///....).
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Change Caller-Allowable-Codebase to "localhost", and access the file through a local webserver.
Note that there's a separate bug report that LiveConnect does't work on http URLs when Caller-Allowable-Codebase is set to "*": https://bugs.openjdk.java.net/browse/JDK-8065741 .
I can confirm this bug on both Java 1.8.0_25 and 1.7.0_67. The only Caller-Allowable-Codebase settings that work are "domain" and "*.domain". The present bug comes about because there's no equivalent domain for file URLs, so we seem to be stuck using the non-working "*".
SUPPORT :
YES
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Fedora 19.
EXTRA RELEVANT SYSTEM CONFIGURATION :
Firefox 33.1.
A DESCRIPTION OF THE PROBLEM :
"Caller-Allowable-Codebase" cannot be set in an Applet JAR manifest in a way that allows LiveConnect (JavaScript to Java Applet) calls in HTML files loaded from a file URL (file://...).
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create a signed JAR containing an Applet class, a JNLP launch file, and a manifest with the line "Caller-Allowable-Codebase: *".
2. Create an HTML file that includes a JNLP depoy of the Applet, and JavaScript code that calls a method of that Applet.
3. Load the HTML file in Firefox 33.1 from a file URL (file:///...).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The JavaScript call to an Applet method succeeds.
ACTUAL -
The JavaScript call is blocked, and the Java console reports a LiveConnect Security Exception.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
liveconnect: Security Exception: JavaScript from file:/home/[PATH_OMITTED]/index.html attempted to access a resource it has no rights to.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
The problem manifests with:
1. Any Applet code,
2. In a signed JAR, with an embedded JNLP file, and a manifest file that includes a "Caller-Allowable-Codebase: *" line and (correctly) no "Trusted-Library" line,
3. Deployed in an HTML file using JNLP JavaScript to create the applet tag, and
4. Loaded at a file URL (file:///....).
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Change Caller-Allowable-Codebase to "localhost", and access the file through a local webserver.
Note that there's a separate bug report that LiveConnect does't work on http URLs when Caller-Allowable-Codebase is set to "*": https://bugs.openjdk.java.net/browse/JDK-8065741 .
I can confirm this bug on both Java 1.8.0_25 and 1.7.0_67. The only Caller-Allowable-Codebase settings that work are "domain" and "*.domain". The present bug comes about because there's no equivalent domain for file URLs, so we seem to be stuck using the non-working "*".
SUPPORT :
YES