[icedtea-web] URLPermission in Java 8
Omair Majid
omajid at redhat.com
Wed Jun 18 17:02:34 UTC 2014
* Andrew Azores <aazores at redhat.com> [2014-06-18 12:54]:
> On 06/18/2014 12:04 PM, Omair Majid wrote:
> > * Andrew Azores <aazores at redhat.com> [2014-06-18 10:04]:
> > >This patch can't compile with Java 7
> >
> >I guess the question to ask is, do you want something built with Java 7
> >to just work on Java 7? Or do you want the same build to work with both
> >Java 7 and 8?
> >
> >If it's the first, then a compile-time switch to optionally compile a
> >8-specific class that handles this responsibility seems appropriate.
> >This is what we did for the X509TrustManager with 6/7 support. If you
> >want the second option, then you probably have to use reflection to work
> >around the issue.
>
> Right, this is something I have no informed opinion on.
Jiri might know more about this. Getting one (compiled) version of
Icedtea-Web to work with multiple Java versions selectable at runtime is
a goal for future (next?) release.
> >>is also probably too lenient about the URLPermission it's
> >>granting, which allows any request method with any headers to any resource
> >>recursively and inclusively in the applet codebase.
> >
> >Isn't that expected?
>
> I don't know. That's the first thing I think we need to figure out. The
> actual result does indeed match exactly what I intended and expected for it
> to do, but I don't know if this is actually the right thing to do.
I think we should follow the Same Origin Policy [1][2][3] model used by
browsers and not be more restrictive unless there's a very very good
reason to.
Thanks,
Omair
[1] http://icedtea.classpath.org/wiki/IcedTea-Web#Same_Origin_Policy
[2] http://en.wikipedia.org/wiki/Same-origin_policy
[3] https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
--
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681
More information about the distro-pkg-dev
mailing list