[rfc] [icedtea-web] restrict all connections to origins also to ports

Wed Oct 7 14:45:24 UTC 2015

On 10/07/2015 04:30 PM, Andrew Azores wrote:
> On 07/10/15 10:22 AM, Jiri Vanek wrote:
>> On 10/07/2015 04:18 PM, Andrew Azores wrote:
>>> Hi,
>>>
>>> I think this looks mostly okay. One nit/question:
>>>
>>> On 06/10/15 08:12 AM, Jiri Vanek wrote:
>>>> +    public static int sanitizePort(final int port) {
>>>> +        if (port < 0) {
>>>> +            return 80;
>>>> +        }
>>>> +        return port;
>>>> +    }
>>>
>>> What if the connection isn't over HTTP? If it's HTTPS then should the
>>> default port returned here
>>> still be 80? What about for something even more different, like FTP?
>>>
>>
>> Thats very valid point and very probably the reason why it was not there
>> originally.
>>
>> The entrance for the callig methods ara url, so following the
>> https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
>>
>> should be ok.
>>
>> J.
>
> I don't follow... if I have a resource at https://some.host.com/resource/path/app.jar , then
> attempting to connect via "some.host.com:80" is either going to force an unsecure connection to the
> server (uh-oh!) or just result in the webserver denying the request, isn't it?
>
> And if I have a resource on public FTP likewise at ftp://some.host.com/resource/path/app.jar and try
> to connect via "some.host.com:80", then the server might even just reject the connection, if it's
> running only an FTP server on default port 21 and no webserver on 80.
>
Sorry, I was not clear.

I meant to add mapping like
if port number was specifed, return that port
if not:
if protocol is http return 80
if it is https return 443
if it is ftp return 20
if it is scp return 22
if its telent  return..
ghoper.

... generally enything java have handler for

I just updated the patch with 
http://docs.oracle.com/javase/7/docs/api/java/net/URL.html#getDefaultPort%28%29

IS it ok for you now?