[Bug 2472] New: ITW: networking same origin policy not in sync with Oracle Java 8

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Wed Jun 24 14:45:03 UTC 2015 

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2472

            Bug ID: 2472
           Summary: ITW: networking same origin policy not in sync with
                    Oracle Java 8
           Product: IcedTea-Web
           Version: unspecified
          Hardware: all
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: Plugin
          Assignee: jvanek at redhat.com
          Reporter: thoger at redhat.com
                CC: unassigned at icedtea.classpath.org

Java same-origin-policy (SOP) has a difference from browser enforced SOP in
considering two hosts as the same origin if they share the same IP address. 
This behaviour can be found documented in e.g. Browser Security Handbook:

https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_Java

  Java applets, ..., roughly follow the basic concept of same-origin checks
  applied to a runtime context derived from the site the applet is downloaded
  from - except that rather unfortunately to many classes of modern websites,
  different host names sharing a single IP address are considered same-origin
  under certain circumstances.

These traditional same-origin checks evolved in (Oracle) JDK8:

  https://bugs.openjdk.java.net/browse/JDK-8010464
  http://openjdk.java.net/jeps/184
  http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/93a268759ec3
  http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/dd0deeb04933

Different host names pointing to the same IP are no longer considered same
origin by the Oracle JDK8 browser plugin.  Its documentation now says e.g.:

https://docs.oracle.com/javase/tutorial/deployment/applet/security.html

  They can make network connections to the host and port they came from.
  Protocols must match, and if a domain name is used to load the applet, the
  domain name must be used to connect back to the host, not the IP address.

ITW, even when used with OpenJDK8 with JEP 184 changes, still enforces the old
same IP == same origin SOP.  It seems it needs to be adjusted to follow the new
policy when used with JDK8.  The behaviour for JDK7 should likely stay
unchanged for consistency with Oracle JDK7.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20150624/e870457c/attachment-0001.html>

More information about the distro-pkg-dev mailing list