Closed Bug 122137 Opened 24 years ago Closed 22 years ago

No warning in windows created by a JAVA-applet

Categories

(Core Graveyard :: Java: OJI, enhancement)

Product:
Core Graveyard
Component:
Java: OJI
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: hinte, Assigned: yuanyi21)

References

(
URL
)

Details

From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:0.9.7) Gecko/20011221 BuildID: 2001122108 When a JAVA-applet creates a new window, there is no warning, that it is created by a JAVA-applet. Someone could fake system or mozilla messages with that and ask you to enter your mail password or something. In netscape 4.79 and earlier is this nice little warning at the bottem of the new window. Reproducible: Always Steps to Reproduce: 1.go to http://java.sun.com/sfaq/example/myWindow.html 2.wait a second 3.take a look 4.compare with netscape 4.7X Expected Results: Show a permanent warning at top or bottom of the window or in the titlebar of this window
See also bug 64676, a similar bug involving javascript rather than java. Since javascript gives malicious coders the same ability to create a window that can look like any other Mozilla window, re-adding the ugly warning from 4.x wouldn't be very useful. Putting something in the titlebar or changing the icon might make sense, but don't forget that a page could still spoof any non- maximized window by drawing something in its content area that *looks* like a window.
Status: UNCONFIRMED → NEW
Ever confirmed: true
We can't really solve this problem, although we can make spoofing more difficult. As long as Java allows an applet to draw arbitrary graphics, a malicious applet will always be able to spoof a browser window with some degree of fidelity. Nonetheless, I think the warning a la 4.x is a good idea, and I believe Sun will have to implement it. Reassigning to OJI, which may not be the correct component but they should know who to send this to.
Assignee: mstoltz → joe.chou
Component: Security: General → OJI
QA Contact: bsharma → pmac
We don't do this for windows created by javascript, so why take up space in windows created by java? I think that would only discourage the use of java (for applications as well as exploits).
I think this should be done for JAVA and for JavaScript Windows. Without this you can not distinguish between windows created bei JAVA / JavaScript and system messages. This is a security feature. Why should the little warning that was used in Netscape 4 discourage the use of JAVA?
QA Contact: pmac → petersen
reassign to me
Assignee: joe.chou → joshua.xia
I think the warnning under the window is *vvvvvery* ugly. If we have to add that uglr warnning, can we supply a checkbox in preference and then user can disable it.
Whiteboard: redesign?
Whiteboard: redesign?
Status: NEW → ASSIGNED
->kyle
Assignee: joshua.xia → kyle.yuan
Status: ASSIGNED → NEW
This is not a mozilla bug, is a jre bug, because you will get the same result using appletviewer. I've filed a bug against this issue to java team.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
In addition, if you have the AllPermission entry in .java.policy file, you won't see the warning.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.