-
CSR
-
Resolution: Approved
-
P3
-
None
-
source
-
minimal
-
This is just documentation / deprecation, so little risk associated at this stage, except for the effect of additional compiler warnings, about usage of this method which is actually a desired consequence (!)
-
Java API
-
SE
Summary
Deprecate for removal javax.swing.plaf.synth.SynthLookAndFeel.load(URL url)
Problem
Synth styles may include code. But it is not easy for applications - or the JDK - to ensure that the URL used by SynthLookAndFeel.load(URL) is trusted.
Solution
Document in clear language that use of this method is discouraged, and further to that, deprecate the method for removal in a future release.
Specification
Add the following to the javadoc for
javax.swing.plaf.synth.SynthLookAndFeel.load(URL url)
+ * Whilst this API may be safe for loading local resources that are
+ * delivered with a {@code LookAndFeel} or application, and so have an
+ * equal level of trust with application code, using it to load from
+ * from remote resources, particularly any which may have a lower level of
+ * trust, is strongly discouraged.
+ * The alternative mechanisms to load styles from an {@code InputStream}
+ * using a resource co-located with the application or by
+ * providing a {@code SynthStyleFactory} are preferred.
+ * Consequently this method is deprecated and will be removed in a future release.
..
..
+ @Deprecated(since = "21", forRemoval = true)
public void load(URL url) throws ParseException, IOException
- csr of
-
JDK-8300891 Deprecate for removal javax.swing.plaf.synth.SynthLookAndFeel.load(URL url)
-
- Resolved
-