[rfc][icedtea-web] Backport unsigned applet confirmation to icedtea-web 1.2

Thu Feb 28 08:46:57 PST 2013

On 02/27/2013 04:02 PM, Adam Domurad wrote:
> On 02/27/2013 12:01 PM, Jiri Vanek wrote:
>> On 02/26/2013 10:59 PM, Adam Domurad wrote:
>>> NB: This is a work in progress, posting for early feedback.
>>>
>>> So a back-port was requested for 1.2 for systems that still use it. 
>>> I tried to use as much
>>> already-reviewed material as possible while retaining simplicity.
>>>
>>> The whitelist attempts to be forwards compatible with the patch 
>>> aimed at HEAD, but generally it does
>>> plain string matching without regex.
>>>
>>> The icedtea-web settings panel simply has a box that changes the 
>>> security level, and a button to
>>> clear the current whitelist.
>>>
>>> I *think* everything is working, but I was in a rush posting this, 
>>> so let me know. There are a few
>>> println statements left in, but again, rush.
>>>
>>> This is of course meant to be applied to the 1.2 release branch.
>>>
>>> Cheers,
>>> -Adam
>>
>> Hi!
>>
>> I like this backport. Looks like it is working....
>> I like that you have  addapted  as much code as possible, and you are 
>> keeping forward compatibility.
>> => Maybe it is also worthy to backport UnsignedAppletActionEntry.java 
>> , which is handling the loading of lines.
>
> I looked at it but decided to go for the simplest route possible with 
> the matching/storing/loading, which was treating the file as a set of 
> strings.
>
>> Also I like the url normlaization stuff.
>>
>> mayor nit:
>> The checkbox is not working. Decision is always saved.
>
> Sorry, this is a remnant of the behaviour of storing y/n in HEAD. 
> Fixed now.
>
>> Proceed/cancel is not saved correctly  - in all cases "N" is saved
>> The values in .applettrustSettings are overriding main policy. Is 
>> this even in head?
>
> Really ? I couldn't reproduce this. Still doing as much testing as I 
> can. Let me know if you have concrete reproduction steps. Note that 
> the browser will have to be restarted after changing setting in 
> itweb-settings
>
>> This file should be checked only (in case of this backport) only 
>> during "high security"
>>
>> Minor nits - in head the items in combobobx are sorted in reversed 
>> order.
>
> Fixed
>
>> Sometimes I noted that the combobozx have not setup its value 
>> accordingly user's value
>
> I am not sure what you mean. Do you have steps to reproduce this?
>
>> The exeption should be maybe more clear (eg distinguish custompolicy 
>> and "by applet| policy in its text) - I think this is valid also fo head
>
> The one thrown when applet is denied ? Good point. Added 'The applet 
> was unsigned, and was not trusted.' for when user rejects / blacklist 
> rejects the applet. They are now 
> LUnsignedAppletPolicyDenied/LUnsignedAppletUserDenied. I will include 
> it in my next version for HEAD.
>
>>
>> imho both
>> User file : /home/jvanek/.icedtea/deployment.properties
>> System file : null
>>  outputs should be gone...
>
> Sorry! Those were the 'println's that I noted.
>
>>
>> For 1.3 I would ratehr  like to have full backport of head.
>
> I'm not too strongly opinionated either way.
>
>>
>>
>> Thanx for backport!
>>
>>    J.
>
> Attached is new version, also added missing copyright headers.
>
> Happy hacking,
> -Adam

Jiri noticed that when I switched the order of the security descriptions 
in itweb-settings I incorrectly had their mapping wrong. This should fix it.
No other change though.

Thanks.
-Adam

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dialogue-1.2-backport3.patch
Type: text/x-patch
Size: 50320 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130228/e861a295/dialogue-1.2-backport3.patch 