[icedtea-web] URLPermission in Java 8

[Andrew Azores]

On 06/18/2014 01:02 PM, Omair Majid wrote:
> * Andrew Azores <aazores at redhat.com> [2014-06-18 12:54]:
>> On 06/18/2014 12:04 PM, Omair Majid wrote:
>>> * Andrew Azores <aazores at redhat.com> [2014-06-18 10:04]:
>>>> This patch can't compile with Java 7
>>>
>>> I guess the question to ask is, do you want something built with Java 7
>>> to just work on Java 7? Or do you want the same build to work with both
>>> Java 7 and 8?
>>>
>>> If it's the first, then a compile-time switch to optionally compile a
>>> 8-specific class that handles this responsibility seems appropriate.
>>> This is what we did for the X509TrustManager with 6/7 support. If you
>>> want the second option, then you probably have to use reflection to work
>>> around the issue.
>>
>> Right, this is something I have no informed opinion on.
>
> Jiri might know more about this. Getting one (compiled) version of
> Icedtea-Web to work with multiple Java versions selectable at runtime is
> a goal for future (next?) release.
>
>>>> is also probably too lenient about the URLPermission it's
>>>> granting, which allows any request method with any headers to any resource
>>>> recursively and inclusively in the applet codebase.
>>>
>>> Isn't that expected?
>>
>> I don't know. That's the first thing I think we need to figure out. The
>> actual result does indeed match exactly what I intended and expected for it
>> to do, but I don't know if this is actually the right thing to do.
>
> I think we should follow the Same Origin Policy [1][2][3] model used by
> browsers and not be more restrictive unless there's a very very good
> reason to.
>
> Thanks,
> Omair
>
> [1] http://icedtea.classpath.org/wiki/IcedTea-Web#Same_Origin_Policy
> [2] http://en.wikipedia.org/wiki/Same-origin_policy
> [3] https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
>

So do you think the permission granted in the "proof of concept" patch 
is actually good enough as it is?

Thanks,
-- 
Andrew Azores