[rfc][icedtea-web] Fix support for signed applets with sandbox permissions in manifest

[Andrew Azores]

On 06/18/2014 01:44 PM, Andrew Azores wrote:
> On 06/18/2014 12:01 PM, Jiri Vanek wrote:
>> On 05/27/2014 06:23 PM, Andrew Azores wrote:
>>> Hi,
>>>
>>> This patch allows signed applets with sandbox permissions specified in
>>> their manifests to actually
>>
>>
>> How it is dealing with mixed (signed + unsigned code) apps?
>
> I don't have any examples of mixed signing apps with a Permissions 
> manifest attribute, but a reproducer could be prepared for this case.
>

Quick progress update: I'm working with Lukasz on creating this 
reproducer, since it's a good example of a fairly complicated reproducer 
test. Once that's ready then it can go into a changeset along with the 
already provided test. This will cover fully signed and partially signed 
applets, both with Permissions: sandbox in the manifest.

Which other possible combinations of Signing x Manifest x Plugin/JNLP 
are worthy of testing? Plugin vs JNLP does have a distinction in the 
Permissions attribute spec, so that should probably be tested. Signing 
of course needs to be done, but fully vs partially is probably 
sufficient, since unsigned applets are only allowed to be sandboxed 
anyway. Do we also want to have tests for Permissions: all-permission in 
the manifest? And the case of no manifest permissions attribute at all 
is pretty well covered already by a lot of other reproducers (eg 
MixedSigningApplet and CustomPoliciesTest) IMO.

So {Fully Signed, Partially Signed} x {Permissions: sandbox, 
Permissions: all-permission} X {Plugin, JNLP} ?

Thanks,

-- 
Andrew A