[icedtea-web] Idea - do not start ITW applets automatically

Mon Nov 19 11:45:21 PST 2012

On 11/16/2012 12:01 PM, Saad Mohammad wrote:
> On 11/15/2012 03:30 PM, Adam Domurad wrote:
>> So in lieu of requests such as [1] and the potential for unsigned code escaping
>> the sandbox (eg, the recent 0day) it could be worth looking into a feature that
>> has applets not start automatically, but rather require a user confirmation
>> (click?) to begin. Additionally a more strict setting could not allow This could
>> be controlled via itweb-settings/environment and distributions might want it as
>> the default.
>>
>> There should be some way to opt-in normal execution of signed applets based on
>> certificate. When an applet's certificates are all opted in, it will start
>> automatically. (Note that we do not need to handle mixed signed + unsigned code
>> specially, it already requires a confirmation.) Unsigned applets, if we choose
>> to allow them being opted in, can be opted in on a full domain name basis.
>>
>> The main motivation I have for proposing this feature is that many applet users
>> only use a handful of applets, and having other applets automatically start is
>> mostly an unnecessary attack surface. I have seen "Disable java in browser, and
>> turn it on for any applets you need to use only" giving as advice following the
>> 0day, and this would be a superior option.
>>
>> [1] http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1211
>>
>> Thoughts?
>> -Adam
> Hi Adam,
>
> I think the idea is great and would be something I would personally make use
> of. However, I am unsure as to how worthy this will be, given that Firefox
> plans to implement something similar[1] and Chrome already having this
> feature[2]. Within Chrome, users can specify which plugins should be activated
> using their 'Click to Play' feature. Users can add domains to a list where
> they can specify whether to always allow or deny activation of plugins. Of
> course, your design will probably include a few more options but I think this
> is something to consider looking over. In my opinion, the activation of plugins
> should be controlled via browser and not through the plugin itself.
>
> Anyways, if we do choose to implement this feature, as HelpCrypto and Jiri
> pointed out, creating a whitelist for normal execution based on domain names
> and wild character is also a welcoming approach. I would prefer not initializing
> the JVM until the user has clicked to activate if possible.
>
> [1]https://wiki.mozilla.org/Opt-in_activation_for_plugins
> [2]http://blog.chromium.org/2011/03/mini-newsletter-from-your-google-chrome.html
>

Good point, as Jiri pointed out it may be better to use development 
cycles elsewhere. I'm not sure if they support this now, but if a domain 
name can 'allow all plugins' then it's fairly redundant with any 
domain-name opt-in we would have. While it may be good to have for more 
minimalist browsers, this was about giving users more choice, and it 
seems with the new browser improvements this choice exists.

Probably for the best to at least shelf this until the browser 
implementations have been around for a while, at which point I suspect 
we'll see little need to implement it.

Thanks for the feedback Saad :)
- Adam