[rfc][icedtea-web] Reflectively add URLPermission to SecurityDesc if available
Andrew Azores
aazores at redhat.com
Tue Jul 15 15:44:19 UTC 2014
On 07/15/2014 11:19 AM, Omair Majid wrote:
> * Andrew Azores <aazores at redhat.com> [2014-07-15 11:12]:
>> Which part? Just the URLPermission's port, or the downloadHost itself?
> The port: it should match the port where the jars were downloaded from.
Hmm. Does JNLPFile#getCodebase()#toURI()#normalize()#getPort() sound
right? That's what it boils down to in this patch now. I don't know of
anywhere where we keep a more explicit reference to the port that was
actually used to download the resources, but I suppose that would
generally be either that same port, or if not specified, then just the
default port for the protocol, so the same thing as this. Right?
>
>> Okay, the attached patch explicitly uses the "wildcard port" for
>> URLPermission. I also added some new tests and cleaned up the existing
>> SecurityDesc tests.
> I think it would be more correct to match the source port (the port
> where the jars were downloaded from). The patch seems more lax than what
> the Same-Origin-Policy specifies. It's okay for now, but it should be
> locked down further.
>
> Thanks,
> Omair
>
Thanks,
--
Andrew A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: urlpermissions-6.patch
Type: text/x-patch
Size: 12299 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140715/40fa1120/urlpermissions-6.patch>
More information about the distro-pkg-dev
mailing list