Bug 1286466

Summary: Warning on applet located in different folder of the same domain
Product: [Fedora] Fedora Reporter: Marco Motta <marco.motta>
Component: icedtea-webAssignee: jiri vanek <jvanek>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 23CC: dbhole, jvanek, omajid
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-01 08:53:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marco Motta 2015-11-29 19:56:52 UTC 
Description of problem:

I ave a java applet located in www.pippo.it/java/versione.jar
The applet is called from some html pages located in some folders (es. www.pippo.it/ita/dir/page.html).
It seems illogical to copy the same applet in all folders of the html pages that recall it.
This is the html code:

La versione di java installata sul tuo computer &egrave; la seguente:
<object type="application/x-java-applet" width="200" height="20" name="Versione java">
<param name="code" value="Versione.class"/>
<param name="archive" value="../../java/versione.jar"/>
<param name="permissions" value="sandbox"/>
nessuna. Devi <a href="http://www.java.com/it" target="java">installare</a> o abilitare java!
</object>


But there is always a security warning appears all times:

The application Versione java from
http://www.pippo.it/ita/dir/page.html uses resources from the
following remote locations:

* http://www.pippo.it/ita/dir
* http://www.pippo.it/java

Be very careful when application is loading from different space then
you expect. Are you sure you want to run this application?

For more information see:

JAR File Manifest Attributes

and

Preventing the Repurpsing of an Application

Note that the line "Codebase: www.pippo.it" in MANIFEST.MF is ignored.

Note also that "../../java/versione.jar" is not outside of the domain.

I do not understand the problem for security if the java applet and html page that calls it are in two different folders of the same domain!


Version-Release number of selected component (if applicable):

icedtea-web-1.6.1-3.fc23.x86_64

How reproducible:

See above

Steps to Reproduce:

See above

Actual results:

Security warning if html page and jar are in different folders

Expected results:

Security warning only if html and jar are in different domains
Comment 1 jiri vanek 2015-12-01 08:53:11 UTC 
Unluckily, the directories are part of the check intentionally.

The correct way to fix it is on your side:
Sign it, and put into manifest the locations from which your applet is expected to run (or if you do not care then just asterix and kill this safety belt) - http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#app_library  . Generally, fill all the attributes in. Sorry. This security enhancement is not from my head but after some judging.. it is useful.

The less correct workaround is for your clients - to disable manifest checks - in deployment.properties add 
deployment.manifest.attributes.check=NONE