Bug 1286466 - Warning on applet located in different folder of the same domain
Warning on applet located in different folder of the same domain
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: icedtea-web (Show other bugs)
23
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: jiri vanek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-29 14:56 EST by Marco Motta
Modified: 2015-12-01 03:53 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-01 03:53:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marco Motta 2015-11-29 14:56:52 EST
Description of problem:

I ave a java applet located in www.pippo.it/java/versione.jar
The applet is called from some html pages located in some folders (es. www.pippo.it/ita/dir/page.html).
It seems illogical to copy the same applet in all folders of the html pages that recall it.
This is the html code:

La versione di java installata sul tuo computer è la seguente:
<object type="application/x-java-applet" width="200" height="20" name="Versione java">
<param name="code" value="Versione.class"/>
<param name="archive" value="../../java/versione.jar"/>
<param name="permissions" value="sandbox"/>
nessuna. Devi <a href="http://www.java.com/it" target="java">installare</a> o abilitare java!
</object>


But there is always a security warning appears all times:

The application Versione java from
http://www.pippo.it/ita/dir/page.html uses resources from the
following remote locations:

* http://www.pippo.it/ita/dir
* http://www.pippo.it/java

Be very careful when application is loading from different space then
you expect. Are you sure you want to run this application?

For more information see:

JAR File Manifest Attributes

and

Preventing the Repurpsing of an Application

Note that the line "Codebase: www.pippo.it" in MANIFEST.MF is ignored.

Note also that "../../java/versione.jar" is not outside of the domain.

I do not understand the problem for security if the java applet and html page that calls it are in two different folders of the same domain!


Version-Release number of selected component (if applicable):

icedtea-web-1.6.1-3.fc23.x86_64

How reproducible:

See above

Steps to Reproduce:

See above

Actual results:

Security warning if html page and jar are in different folders

Expected results:

Security warning only if html and jar are in different domains
Comment 1 jiri vanek 2015-12-01 03:53:11 EST
Unluckily, the directories are part of the check intentionally.

The correct way to fix it is on your side:
Sign it, and put into manifest the locations from which your applet is expected to run (or if you do not care then just asterix and kill this safety belt) - http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#app_library  . Generally, fill all the attributes in. Sorry. This security enhancement is not from my head but after some judging.. it is useful.

The less correct workaround is for your clients - to disable manifest checks - in deployment.properties add 
deployment.manifest.attributes.check=NONE

Note You need to log in before you can comment on or make changes to this bug.