[icedtea-web] URLPermission in Java 8

[Andrew Azores]

Hi,

There's a new permission in Java 8 known as URLPermission [0]. It's used 
to restrict access to, well, URL resources. Some of our manual test case 
applets are affected by this, for example, Oasis [1].

I can't find any documentation on how exactly Oracle grants applets 
URLPermissions, eg what kind of path they're allowing the applets to 
access, or which HTTP methods and headers they may use, etc. So 
determining sane defaults on these is the primary point of discussion 
for this thread. We could just try to ask Oracle what they're granting 
as well and mirror that.

To confirm that Oasis is impacted by this new permission:
(1) (using openjdk7) Build IcedTea-Web.
(2) Launch browser from terminal
(3) Go to Oasis URL
(4) Observe that applet launches successfully
(5) system-switch-java to openjdk8
(6) Repeat 1-3 and observe that Oasis no longer launches due to 
SecurityExceptions from missing URLPermissions

As a sort of proof of concept, I've attached a small patch. Applying 
this patch to HEAD and repeating the Oasis test procedure with Java 8 in 
use should allow Oasis to run again. This patch can't compile with Java 
7, however, and is also probably too lenient about the URLPermission 
it's granting, which allows any request method with any headers to any 
resource recursively and inclusively in the applet codebase. So the 
second point of discussion for this thread is how to resolve actually 
adding this permission to the default sandbox permission set.

[0] http://docs.oracle.com/javase/8/docs/api/java/net/URLPermission.html
[1] https://oasisweb.uga.edu/oasis.html

Thanks,

-- 
Andrew A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: urlpermission-test.patch
Type: text/x-patch
Size: 1695 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140618/c22ebf0e/urlpermission-test.patch>