[icedtea-web] Idea - do not start ITW applets automatically

[Jiri Vanek]

On 11/16/2012 06:01 PM, Saad Mohammad wrote:
> On 11/15/2012 03:30 PM, Adam Domurad wrote:
>> So in lieu of requests such as [1] and the potential for unsigned code escaping
>> the sandbox (eg, the recent 0day) it could be worth looking into a feature that
>> has applets not start automatically, but rather require a user confirmation
>> (click?) to begin. Additionally a more strict setting could not allow This could
>> be controlled via itweb-settings/environment and distributions might want it as
>> the default.
>>
>> There should be some way to opt-in normal execution of signed applets based on
>> certificate. When an applet's certificates are all opted in, it will start
>> automatically. (Note that we do not need to handle mixed signed + unsigned code
>> specially, it already requires a confirmation.) Unsigned applets, if we choose
>> to allow them being opted in, can be opted in on a full domain name basis.
>>
>> The main motivation I have for proposing this feature is that many applet users
>> only use a handful of applets, and having other applets automatically start is
>> mostly an unnecessary attack surface. I have seen "Disable java in browser, and
>> turn it on for any applets you need to use only" giving as advice following the
>> 0day, and this would be a superior option.
>>
>> [1] http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1211
>>
>> Thoughts?
>> -Adam
>
> Hi Adam,
>
> I think the idea is great and would be something I would personally make use
> of. However, I am unsure as to how worthy this will be, given that Firefox
> plans to implement something similar[1] and Chrome already having this

This is very valid point. Imho there is huge risk that you will spare huge effort, and add 
bug-possible places into code, to implement  feature which is actually implemented on better place.

> feature[2]. Within Chrome, users can specify which plugins should be activated
> using their 'Click to Play' feature. Users can add domains to a list where
> they can specify whether to always allow or deny activation of plugins. Of
> course, your design will probably include a few more options but I think this
> is something to consider looking over. In my opinion, the activation of plugins
> should be controlled via browser and not through the plugin itself.
>
> Anyways, if we do choose to implement this feature, as HelpCrypto and Jiri
> pointed out, creating a whitelist for normal execution based on domain names
> and wild character is also a welcoming approach. I would prefer not initializing
> the JVM until the user has clicked to activate if possible.
>
> [1]https://wiki.mozilla.org/Opt-in_activation_for_plugins
> [2]http://blog.chromium.org/2011/03/mini-newsletter-from-your-google-chrome.html
>