[icedtea-web] Idea - do not start ITW applets automatically

[Adam Domurad]

So in lieu of requests such as [1] and the potential for unsigned code 
escaping the sandbox (eg, the recent 0day) it could be worth looking 
into a feature that has applets not start automatically, but rather 
require a user confirmation (click?) to begin. Additionally a more 
strict setting could not allow This could be controlled via 
itweb-settings/environment and distributions might want it as the default.

There should be some way to opt-in normal execution of signed applets 
based on certificate. When an applet's certificates are all opted in, it 
will start automatically. (Note that we do not need to handle mixed 
signed + unsigned code specially, it already requires a confirmation.) 
Unsigned applets, if we choose to allow them being opted in, can be 
opted in on a full domain name basis.

The main motivation I have for proposing this feature is that many 
applet users only use a handful of applets, and having other applets 
automatically start is mostly an unnecessary attack surface. I have seen 
"Disable java in browser, and turn it on for any applets you need to use 
only" giving as advice following the 0day, and this would be a superior 
option.

[1] http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1211

Thoughts?
-Adam