[rfc][icedtea-web] Reflectively add URLPermission to SecurityDesc if available
Omair Majid
omajid at redhat.com
Mon Jul 14 15:09:59 UTC 2014
* Andrew Azores <aazores at redhat.com> [2014-07-14 10:07]:
> On 07/03/2014 05:14 PM, Andrew Azores wrote:
>
> On 07/03/2014 05:02 PM, Omair Majid wrote:
>
> * Andrew Azores <aazores at redhat.com> [2014-07-03 16:55]:
>
> + codebaseHost = new URI(codebase.getScheme(), codebase.getUserInfo(), codebase.getHost(), -1, null, null, null);
>
> Why -1 for port? This seems strange compared to the same-origin-policy.
>
> Thanks,
> Omair
>
>
>
> It doesn't seem to be specified for the SocketPermission granted in
> SecurityDesc either - downloadHost is just the hostname part of the
> codebase URL AFAICT. So I haven't specified a port for the URLPermission so
> as to not be more restrictive than the SocketPermission.
That sounds like a bug. This should be fixed.
> There's also this in the URLPermission docs:
>
> portrange is used to specify a port number, or a bounded or unbounded
> range of ports that this permission applies to. If portrange is absent
> or invalid, then a default port number is assumed if the scheme is http
> (default 80) or https (default 443). No default is assumed for other
> schemes. A wildcard may be specified which means all ports.
Won't this break applets and webstart applications that run the
webserver on non-default ports? For example, [1] uses port 9090.
Thanks,
Omair
[1] http://www.symantec.com/connect/forums/sepm-console-unable-launch-application-after-java-upgrade-7u51
--
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681
More information about the distro-pkg-dev
mailing list