When running in a secure context, trying to open the ColorChooser control from a WebView control fails.

To reproduce: Run the attached test with a secure context using the attached security policy (-Djava.security.manager -Djava.security.policy=java.policy), and press the button to open the ChooseColor control. It doesn't show and the following exception is thrown:

Exception in thread "JavaFX Application Thread" java.security.AccessControlException: access denied ("java.io.FilePermission" "jar:file:/~/.m2/repository/org/openjfx/javafx-controls/20-ea+11/javafx-controls-20-ea+11-mac-aarch64.jar!/com/sun/javafx/scene/control/skin/modena/pattern-transparent.png" "read")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:1068)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416)
        at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:756)
        at java.base/java.io.File.exists(File.java:829)
        at javafx.graphics@20-ea/javafx.scene.image.Image.validateUrl(Image.java:1130)
        at javafx.graphics@20-ea/javafx.scene.image.Image.<init>(Image.java:628)
        at javafx.graphics@20-ea/com.sun.javafx.css.StyleManager$ImageCache.getCachedImage(StyleManager.java:770)
        at javafx.graphics@20-ea/com.sun.javafx.css.StyleManager.getCachedImage(StyleManager.java:846)
        at javafx.graphics@20-ea/javafx.scene.layout.BackgroundConverter.convert(BackgroundConverter.java:97)
        at javafx.graphics@20-ea/javafx.scene.layout.BackgroundConverter.convert(BackgroundConverter.java:42)
        at javafx.graphics@20-ea/javafx.scene.CssStyleHelper.lookup(CssStyleHelper.java:1144)
        at javafx.graphics@20-ea/javafx.scene.CssStyleHelper.transitionToState(CssStyleHelper.java:858)
        at javafx.graphics@20-ea/javafx.scene.Node.doProcessCSS(Node.java:9723)
        at javafx.graphics@20-ea/javafx.scene.Node$1.doProcessCSS(Node.java:482)
        at javafx.graphics@20-ea/com.sun.javafx.scene.NodeHelper.processCSSImpl(NodeHelper.java:194)
        at javafx.graphics@20-ea/com.sun.javafx.scene.ParentHelper.superProcessCSSImpl(ParentHelper.java:93)
        at javafx.graphics@20-ea/com.sun.javafx.scene.ParentHelper.superProcessCSS(ParentHelper.java:63)
        at javafx.graphics@20-ea/javafx.scene.Parent.doProcessCSS(Parent.java:1370)
        at javafx.graphics@20-ea/javafx.scene.Parent$1.doProcessCSS(Parent.java:125)
        at javafx.graphics@20-ea/com.sun.javafx.scene.ParentHelper.processCSSImpl(ParentHelper.java:98)
        at javafx.graphics@20-ea/com.sun.javafx.scene.NodeHelper.processCSS(NodeHelper.java:147)
        at javafx.graphics@20-ea/javafx.scene.Parent.doProcessCSS(Parent.java:1401)
        at javafx.graphics@20-ea/javafx.scene.Parent$1.doProcessCSS(Parent.java:125)
        at javafx.graphics@20-ea/com.sun.javafx.scene.ParentHelper.processCSSImpl(ParentHelper.java:98)
        at javafx.graphics@20-ea/com.sun.javafx.scene.NodeHelper.processCSS(NodeHelper.java:147)
        at javafx.graphics@20-ea/javafx.scene.Parent.doProcessCSS(Parent.java:1401)
        at javafx.graphics@20-ea/javafx.scene.Parent$1.doProcessCSS(Parent.java:125)
        at javafx.graphics@20-ea/com.sun.javafx.scene.ParentHelper.processCSSImpl(ParentHelper.java:98)
        at javafx.graphics@20-ea/com.sun.javafx.scene.NodeHelper.processCSS(NodeHelper.java:147)
        at javafx.graphics@20-ea/javafx.scene.Node.processCSS(Node.java:9605)
        at javafx.graphics@20-ea/javafx.scene.Scene.doCSSPass(Scene.java:587)
        at javafx.graphics@20-ea/javafx.scene.Scene.preferredSize(Scene.java:1786)
        at javafx.graphics@20-ea/javafx.scene.Scene$2.preferredSize(Scene.java:411)
        at javafx.graphics@20-ea/com.sun.javafx.scene.SceneHelper.preferredSize(SceneHelper.java:65)
        at javafx.graphics@20-ea/javafx.stage.Window$12.invalidated(Window.java:1163)
        at javafx.base@20-ea/javafx.beans.property.BooleanPropertyBase.markInvalid(BooleanPropertyBase.java:110)
        at javafx.base@20-ea/javafx.beans.property.BooleanPropertyBase.set(BooleanPropertyBase.java:145)
        at javafx.graphics@20-ea/javafx.stage.Window.setShowing(Window.java:1239)
        at javafx.graphics@20-ea/javafx.stage.Window.show(Window.java:1254)
        at javafx.graphics@20-ea/javafx.stage.Stage.show(Stage.java:277)
        at javafx.controls@20-ea/com.sun.javafx.scene.control.CustomColorDialog.show(CustomColorDialog.java:198)
        at javafx.web@20-ea/com.sun.webkit.ColorChooser.<init>(ColorChooser.java:66)
        at javafx.web@20-ea/com.sun.webkit.ColorChooser.fwkCreateAndShowColorChooser(ColorChooser.java:70)

The exception points to: javafx.graphics@20-ea/javafx.scene.image.Image.validateUrl(Image.java:1130)

The check
if (new File(url).exists()) { } // line 1130

was added in JDK-8267551, by this commit:

https://github.com/openjdk/jfx/pull/508/files#diff-0d427794abc3bdc37d53c1e4abfe9dbaac32f2ba104087f035399d9e60cc30ecR1127

Therefore ColorChooser works up until JavaFX 16 and 17-ea+12, and fails since 17 (starting 17-ea+13).

In fact, this issue can be reproduced with any control that uses bundled resources, like the HTMLEditor control for instance.

There might be other places where the same exception is thrown, like com.sun.javafx.iio.common.ImageTools::createInputStream.

For now, the workaround to make this work is to allow file permissions, like:

permission java.io.FilePermission "jar:file:/${user.home}/.m2/repository/org/openjfx/-", "read";