[rfc][icedtea-web] Fix support for signed applets with sandbox permissions in manifest
Andrew Azores
aazores at redhat.com
Thu Jun 19 14:11:24 UTC 2014
On 06/18/2014 01:44 PM, Andrew Azores wrote:
> On 06/18/2014 12:01 PM, Jiri Vanek wrote:
>> On 05/27/2014 06:23 PM, Andrew Azores wrote:
>>> Hi,
>>>
>>> This patch allows signed applets with sandbox permissions specified in
>>> their manifests to actually
>>
>>
>> How it is dealing with mixed (signed + unsigned code) apps?
>
> I don't have any examples of mixed signing apps with a Permissions
> manifest attribute, but a reproducer could be prepared for this case.
>
Quick progress update: I'm working with Lukasz on creating this
reproducer, since it's a good example of a fairly complicated reproducer
test. Once that's ready then it can go into a changeset along with the
already provided test. This will cover fully signed and partially signed
applets, both with Permissions: sandbox in the manifest.
Which other possible combinations of Signing x Manifest x Plugin/JNLP
are worthy of testing? Plugin vs JNLP does have a distinction in the
Permissions attribute spec, so that should probably be tested. Signing
of course needs to be done, but fully vs partially is probably
sufficient, since unsigned applets are only allowed to be sandboxed
anyway. Do we also want to have tests for Permissions: all-permission in
the manifest? And the case of no manifest permissions attribute at all
is pretty well covered already by a lot of other reproducers (eg
MixedSigningApplet and CustomPoliciesTest) IMO.
So {Fully Signed, Partially Signed} x {Permissions: sandbox,
Permissions: all-permission} X {Plugin, JNLP} ?
Thanks,
--
Andrew A
More information about the distro-pkg-dev
mailing list