[icedtea-web] Idea - do not start ITW applets automatically
helpcrypto helpcrypto
helpcrypto at gmail.com
Wed Jan 23 03:32:54 PST 2013
> Main-class sounds reasonable -- except that technically speaking it would
> allow someone to run a completely different applet (on the same page)
> without the warning. I don't suppose it's a big deal though, because the
> same person could have bundled whatever code into the main applet.
Sorry, but Im starting to retract.
AFAICanThink unsigned applets could be hijacked in any way we check if
the site is cracked. I (cracker) can upload the same
classname+jars+etc, and end-user will be exposed, so maybe we should
check it another way.
Signed applets could be trusted based on signer, but im starting to
think the "unique key" is not a bad idea for unsigned ones...
Maybe its a dumb question but here it goes:
What can be done/dangerous running an unsigned applet?
I think unsigned applets should not be able to run *anything*
dangerous enough, so maybe this is a fake discussion.
Our signed applets does a lot of this, but thats what signed are for!
More information about the distro-pkg-dev
mailing list