[icedtea-web] Idea - do not start ITW applets automatically

Jiri Vanek jvanek at redhat.com
Fri Nov 16 05:20:56 PST 2012 

On 11/15/2012 09:30 PM, Adam Domurad wrote:
> So in lieu of requests such as [1] and the potential for unsigned code escaping the sandbox (eg, the recent 0day) it could be worth looking into a feature that has applets not start automatically, but rather require a user confirmation (click?) to begin. Additionally a more strict setting could not allow This could be controlled via itweb-settings/environment and distributions might want it as the default.
>
> There should be some way to opt-in normal execution of signed applets based on certificate. When an applet's certificates are all opted in, it will start automatically. (Note that we do not need to handle mixed signed + unsigned code specially, it already requires a confirmation.) Unsigned applets, if we choose to allow them being opted in, can be opted in on a full domain name basis.
>
> The main motivation I have for proposing this feature is that many applet users only use a handful of applets, and having other applets automatically start is mostly an unnecessary attack surface. I have seen "Disable java in browser, and turn it on for any applets you need to use only" giving as advice following the 0day, and this would be a superior option.
>
> [1] http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1211
>
> Thoughts?
> -Adam

Interesting idea, probably worthy to implement.
Default behaviour should be definitely set-up-able from itw-settings.
As you summarised, we need to take care only about unsigned applets, as signed ones already have launch/launch always/dont launch/never launch (or similar)
Or this setting can be independent on signatures and so be checked even before signatures (launch/launch always/dont launch/never launch), and then trustworthiness will be checked.
Or maybe some mixture :) - but I'm probably for second approach - before and independent on the signatures.

What is little bit more in my mind is, if you want to avoid of launching of jvm at all. If you want, then then it will probably not possible to have some interactive communication with user.
If you will suffer launching of jvm, ten we can probably misuse splash - before actual loading starts, there wil be not-animated spalsh with text eg  "this is applet, destiny of applets on domain blahblah.bl is not specified, would you like to launc/launchalways?"
After launch applet will be started, after launch always will be started and marked in itw-settings. Advantage is that user will not be disturbed by prompt, and should be quite easily to be implemented)
  Localhost should be always trusted.

So as I see it there should be some table with url+wildcards and actions
Possible values  can be :
do not  launch jvm at all
do not launch applets
launch applets always

And some default value - probably do not launch applets.

There can appear several tricky parts (except do not launch jvm at al, which will be handled in C, and I have no clue about it) with multiple applets on different urls with different codebasses.

Not sure if this is what you wanted to hear, but think about it as "brainstorming" :)

J.

More information about the distro-pkg-dev mailing list