Closed Bug 146458 (unicast1) Opened 22 years ago Closed 20 years ago

Liveconnect calls fail if applet's codebase is in different domain

Categories

(Core Graveyard :: Java: Live Connect, defect, P1)

Product:
Core Graveyard
Component:
Java: Live Connect
Platform:
x86
All
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.7beta

People

(Reporter: amilkowski, Assigned: caillon)

References

Details

(Keywords: topembed+, Whiteboard: LiveConnect [bugscape 19520][need info] INVALID)

Attachments

(7 files, 2 obsolete files)

page with <script src="http://localhost.unicast.br.com/html/wrapper.js"></script>
90 bytes, text/html
Details
contains applet codebase and javascript-Liveconnect call
486 bytes, application/x-javascript
Details
source code for the testapplet
304 bytes, application/octet-stream
Details
Win XP, host file C:\WINDOWS\system32\drivers\etc used to test two domains
781 bytes, text/plain
Details
new wrapper that is compatible w/ all browser syntax
1.47 KB, text/plain
Details
TestApplet.java (THE RIGHT JAVA SRC CODE , MY APPOLOGY)
306 bytes, text/plain
Details
Patch v2
11.84 KB, patch
jst
: review+
brendan
: superreview+
dbaron
: approval1.7b+
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Netscape 7.0 Preview Release 1
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0rc2) Gecko/20020512 
Netscape/7.0b1 
BuildID:    

Main html page includes <script 
src="http://localhost.unicast.br.com/html/wrapper.js"></script>

wrapper.js includes applet codebase via these lines:

document.write('<applet code="TestApplet" 
codebase="http://localhost.unicast.br.com/classes/" name="TestApplet" width=0 
height=0>');
document.write('</applet>');

a sample LiveConnect call document.TestApplet.onload(); (in the wrapper.js) 
cause Netscape7 browser to issue the following exception:

sun.plugin.liveconnect.OriginNotAllowedException: JavaScript is not from the 
same origin as the Java code, caller=http://127.0.0.1, 
callee=http://localhost.unicast.br.com/classes/
	at sun.plugin.liveconnect.SecureInvocation.checkLiveConnectCaller
(Unknown Source)
	at sun.plugin.liveconnect.SecureInvocation.access$000(Unknown Source)
	at sun.plugin.liveconnect.SecureInvocation$2.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.plugin.liveconnect.SecureInvocation.CallMethod(Unknown Source)




Reproducible: Always
Steps to Reproduce:
1. Setup two domains on the server (in my example I modified my host file to 
have local domains 127.0.0.1 and localhost.unicast.br.com 

2. using Netscape7 enter url: http://127.0.0.1/html/netscape7.html

3. in java console note the security exceptions issued

Actual Results:  exception was issued:

sun.plugin.liveconnect.OriginNotAllowedException: JavaScript is not from the 
same origin as the Java code, caller=http://127.0.0.1, 
callee=http://localhost.unicast.br.com/classes/
	at sun.plugin.liveconnect.SecureInvocation.checkLiveConnectCaller
(Unknown Source)
	at sun.plugin.liveconnect.SecureInvocation.access$000(Unknown Source)
	at sun.plugin.liveconnect.SecureInvocation$2.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.plugin.liveconnect.SecureInvocation.CallMethod(Unknown Source)


Expected Results:  since the applet codebase comes from the same domain as the 
javascript
there is no reason for the "Origin not allowed exception"

    
    

    
  
*** This bug has been confirmed by popular vote. ***
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
no blocker

Severity: blocker → major

    
    

    
  
Running submitted testcase with:

Mozilla 1.0 Release Candidate 3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0rc3) Gecko/20020523

still produced sun.plugin.liveconnect.OriginNotAllowedException

    
    

    
  
Running submitted testcase with:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.0) Gecko/20020530

still produced sun.plugin.liveconnect.OriginNotAllowedException

    
    

    
  
Andrew,

Wait a second: 127.0.0.1 and localhost.unicast.br.com are not the same thing. 
Why not change one of the URLs to be exactly the same all the time?  Why is this
a blocker?  Perhaps I'm misunderstanding things -- can you explain why they
ought to be treated as the same domain, and moreover, *why* you can't hardcode a
consistent domain instead of using two different nomenclatures of referring to
what you think is one domain?

    
    

    
  
Arun,

  Hi.  Keep in mind that we're a 3rd party product. So, what we're simulating 
here is a real world deployment scenario for us.
1. localhost.unicast.com.br is a simulated codebase for our javascript file and 
applet jar file.  In the real world this would be adcontroller.unicast.com.

2.  127.0.0.1 is a simulation of a site using our technology.  This could just 
as easily have been www.aol.com.

  The problem is that our javascript and applet which have the same codebase 
are getting a security exception with netscape 6.  This doesn't happen with 
earlier versions of netscape or IE.

  This is a blocker for us because we need our javascript and applet to talk to 
each other which is critical for our technology.  We suspect that Mozilla is 
treating our javascript as coming from the web-site's codebase, when in reality 
it is coming from our codebase.  I just happens to be inserted into the 
website's content as a 3rd party script.

Best,
Andrew

    
    

    
  
Running submitted test case with:

Mozilla 1.1a
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1a) Gecko/20020611

still produced sun.plugin.liveconnect.OriginNotAllowedException

    
    

    
  
Received a special drop of 1.4.0_01.  I'll try and run tests with it.

    
    

    
  
This shouldn't be in Security | General, but rather, in the overloaded OJI bin
:-(  I'd like to get Sun to comment on it first.  It may well be a Mozilla issue
eventually, but currently I can think of it belonging in the OJI layer.

    
    

    
  
This belongs to the OJI layer.  Andrew, you've uploaded your source code for the
test applet (presumably a *.java file) as application/octet-stream.  Can you
upload it using text/plain?
Assignee: mstoltz → joe.chou
Component: Security: General → OJI
QA Contact: bsharma → pmac

    
    

    
  


  
Keywords: topembed

    
  
Blocks: 145287

    
    

    
  
In today's teleconference with Sun, it was suggested that the 'MAYSCRIPT'
attribute was missing from your markup (Applet tag).  Can you put that in and
see if this problem reoccurs?  Sun will look at this problem also.

    
    

    
  


  
some compatibility javascript changes so the code runs (for comparisons, ie
IE6, Netscape 4.7 and of course mozilla)

    
    

    
  


  
the previously attached src code (87984) was for a completely different defect!

(I have several of them pending, all confirmed) my greatest appology

This TestApplet DOES NOT make any Applet-Javascript calls, therefore DOES NOT
NEED to be MAYSCRIPTED!, even after adding MAYSCRIPT in the Applet tag, 
the security exception does not go away under mozilla, all other browser 
run the sample code just fine, including Netscape 4.7!

        Attachment #87984 -
        Attachment is obsolete: true

    
    

    
  
please add os/2 to OS list

    
    

    
  
I tried the test case, with and without MAYSCRIPT, also had problem, in my case,
crashed. Need to dig in more.

    
    

    
  
Running submitted test case with: (latest mozilla latest SUN JVM)

Mozilla 1.1a 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1a) Gecko/20020611

Java(TM) Plug-in: Version 1.4.1
Using JRE version 1.4.1-beta Java HotSpot(TM) Client VM

still produced sun.plugin.liveconnect.OriginNotAllowedException



    
    

    
  
I created the live sample based in the samples from Leon. I confirmed that this
is working with Netscape 4.x and does not work with Netscape 6.2.3 (win98) and
Netscape 7PR1(win98). 

Here is the file that represents the third-party site: 
-----------------------------------------------------
http://www.dhtmlplanet.com/testcases/applet/thirdparty.html

This HTML file includes (via <script src..>) the wrapper: 
--------------------------------------------------------
http://www.geckonnection.com/testcases/applet/wrapper.js

The wrapper js file is sucessfully doing document.write to the thirdparty
document writting the applet tag which origin is the same of the js file: 
http://www.geckonnection.com/testcases/applet/ 



    
    

    
  
Reassigning to security general. Michell, this is a blocker to Unicast (Rich
Media Effort). I added comment #22 so we can retest quickly. I also found the
bug 94474 that is sort of related. 

In the samples of comment #22, the first page (dhtmlplanet) is loading the
script from the location (geckonnection). The applet also comes from
(geckonnection) however we have the security exception. 

Component: OJI → Security: General

    
    

    
  
using url http://www.dhtmlplanet.com/testcases/applet/thirdparty.html
with following OS/browser/JVM configuration throws Security Exception
:

Windows XP

Java(TM) Plug-in: Version 1.4.1
Using JRE version 1.4.1-beta Java HotSpot(TM) Client VM

Netscape 6.2.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.4.1) Gecko/20020508 

Regression Testing back to Netscape Communicator 4.79 succeeds (no Security 
Exception)



    
    

    
  
Well, it's working in 4.x so we added the 4xp. 
Keywords: 4xp

    
    

    
  
-> to Mitch.
Assignee: joe.chou → mstoltz
Whiteboard: LiveConnect

    
    

    
  
The problem is obvious from java console print out. Java side figure out the URL
of the applet (callee) correctly, however, since the url of caller is not the
same as the callee and based on same origin rule, the call can not be made. Java
side get the caller's URL from the param passed from liveconnect. So the browser
side need to figure out the right url of the script and pass it to java side.

    
    

    
  
Yes, but the problem is:
* No other browser I know shows this behaviour
* This security feature cannot be deactivated. (?)
Therefore a lot of Applets using LiveConnect don't work with Mozilla.

    
    

    
  
<<however, since the url of caller is not the same as the callee and based on 
same origin rule, the call can not be made. >>

They ARE the same in reality.  That's the point.  If Netscape 6 is somehow 
confusing that fact, then that is what needs to be fixed.

    
    

    
  
Load the applet at say:
www.abc.com/index.html

Have a link to a page:
www.abc.com:80/applet.html

Click on the link, then make a call to the applet.

Result: Same error will occur.


    
  
Whiteboard: LiveConnect → LiveConnect [bugscape 19520]

    
    

    
  
over to beard.
Assignee: mstoltz → beard

    
    

    
  
beard runs from java, ->bnesse
Assignee: beard → bnesse

    
    

    
  
This is a potential blocker for a major embedding customer.
Keywords: topembedmozilla1.2, 
          
            nsbeta1+, 
          
            topembed+
Whiteboard: LiveConnect [bugscape 19520] → LiveConnect [bugscape 19520] [adt2] [ETA Needed]

    
    

    
  
As per discussion with beard. The code at issue here resides in the OJI module.
->OJI.
Assignee: bnesse → joe.chou
Component: Security: General → OJI

    
    

    
  
To follow up on comment 27, yes, there is a mismatch between the origin of the
Java code "http://www.geckonnection.com/testcases/applet/" and the origin of the
document "http://www.dhtmlplanet.com/testcases/applet/thirdparty.html". The
document thirdparty.html includes includes wrapper.js, which document.writes the
<APPLET> element. In order to make this work, we need to change the apparent
origin of the thirdparty.html so that a simple minded same origin test will
succeed. The problem is how to do this, because in a sense, we need to determine
"who's" asking, and return the URL of the codebase of the caller to
nsCSecurityContext::GetOrigin().
Component: OJI → Security: General

    
    

    
  
Here's a thought about how we can fix this. Every applet runs in its own class
loader, which is presumably a subclass of java.net.URLClassLoader. This class
has the method

protected void addURL(URL url);

which allows multiple URLs to be searched when looking for classes and
resources. Couldn't the OJI module add the URL of the including document to this
class loader's array of URLs? If so, then the plugin's security check for same
origin could be modified to use this array of URLs (if it doesn't already).

    
    

    
  
Is there something we can do that doesn't require a modification on the plugin
side?  Bugscape (internal) bug 19520 has this to say:

Assume that the Applet (and its source JAR file) and the script that
LiveConnects with the Applet reside on Domain A, and that Domain B is a domain
that merely links to the Applet and the JavaScript.

*On a per LiveConnect call basis* allow the JVM to think that the script lives
on Domain A.  Inclusion of the script via script src=" . " still means that the
script is now a citizen of Domain B, but for the purpose of making this "time
tested" LiveConnect call mechanism work, allow each individual LiveConnect call
to be a citizen of Domain A.

By "time tested" I really mean since the NN4.x days.  Note that IE also aloows
this kind of thing.

This is probably what Sun recommends.  Is this a feasibility?

    
    

    
  
Based on discussions we had, we're focusing ideas with solutions targeted for
the mozilla code, without changes in java.
I'll let beard elaborate, will need input from jst, and reassign to mstoltz for
now per discussions.
Assignee: joe.chou → mstoltz

    
  
Blocks: 178882

    
    

    
  
Moving up to P1 per EDT triage. This effects topsites in Brazil and Germany.
Priority: -- → P1
Target Milestone: --- → mozilla1.3beta

    
    

    
  
Please reassign this if need be so it can get fixed as it could block certain betas.

    
    

    
  
change qa contact to Chris Petersen.
QA Contact: pmac → petersen

    
    

    
  
Clearing milestone for now.
Target Milestone: mozilla1.3beta → ---
Alias: unicast1

    
    

    
  
adt: need info.  Need to know if this is a priority for Buffy.
Whiteboard: LiveConnect [bugscape 19520] [adt2] [ETA Needed] → LiveConnect [bugscape 19520][need info]
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.5alpha

    
    

    
  
Exception:

"sun.plugin.liveconnect.OriginNotAllowedException: JavaScript is not from the 
same origin as the Java code.."

is now also reproducable on:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 
Netscape/7.1 (ax)

JDK: JRE version 1.4.2 Java HotSpot(TM)




    
    

    
  
Chris, can you weigh in on this?  Cc'ing Kyle too for his thoughts.

/be
Assignee: security-bugs → caillon
Status: ASSIGNED → NEW

    
    

    
  
Tested with the following simple page, I found IE does not compare the caller & 
callee's origins at all.

<html>
<body>
<applet code="TestApplet" codebase="http://putt.prc/test" name="TestApplet" 
width=0 height=0>
</applet>
<input type=submit value="click to invoke java" 
onclick="document.TestApplet.onload()">
</body>
</html>


    
    

    
  
http://books.mozdev.org/html/mozilla-chp-12-sect-7.html

Turning UniversalBrowserRead on might work around this issue, but I'm not sure.

    
    

    
  
Please refer to http://java.sun.com/j2se/1.3/docs/guide/plugin/security.html for 
liveconnect security. The two conditions are:
* The origin (URL) of the page is the same as the origin of the applet; 
* JavaScript is signed and UniversalBrowserRead permission is enabled for 
JavaScript. 

    
    

    
  
Please refer to http://java.sun.com/j2se/1.3/docs/guide/plugin/security.html for 
liveconnect security. The two conditions are:
* The origin (URL) of the page is the same as the origin of the applet; 
* JavaScript is signed and UniversalBrowserRead permission is enabled for 
JavaScript. 

    
    

    
  
(In reply to comment #49)
> Please refer to http://java.sun.com/j2se/1.3/docs/guide/plugin/security.html 
for 
> liveconnect security. The two conditions are:
> * The origin (URL) of the page is the same as the origin of the applet; 
> * JavaScript is signed and UniversalBrowserRead permission is enabled for 
> JavaScript. 


This document is out of date or just plain incorrect.  Read the comment above 
the lines that you cut out where it says:
"Since an applet is allowed to connect to any host, it might then send such 
information out over the network in an irresponsible manner. A security policy 
has been implemented to prevent such actions from occurring."

Applets can only phone home. They cannot connect to any host.  Sun needs to 
clean up their documentation. There isn't any security hole here.  If there 
was, it would have been exploited years ago because the legacy jvms from MS 
and Netscape along with the browsers have all allowed this behavior from day 
1.  Complex problems can seldom be solved with a single technology.  In 
Unicast's case, we provide our customers with a java & javascript solution to 
get the job done.  I cannot understand how anybody could rationally say that 
us providing a jar & javascript solution somehow relagates the 2 files to 
different domains.  They're our files.  They're on our servers.

Engineers should only be closing real security holes and not closing off lines 
of business that companies have been built upon.  Many company businesses 
depends upon this behavior, not just our's.  Having some random engineer 
somewhere dreaming up security holes based upon false assumptions is just 
plain wrong.  Applets are not allowed to contact other websites than their own 
home domain.  Why on earth is Sun trying to force Javascript to be signed in 
this instance? Firstly as I said, I think this documentation is wrong and that 
it's not implemented this way and secondly, there isn't a security hole here.

This bug is now celebrating it's 2 year anniversary.  Can't we just fix it and 
stop discussing non-existant security holes please?


    
    

    
  
(In reply to comment #50)
> (In reply to comment #49)
> > Please refer to 
http://java.sun.com/j2se/1.3/docs/guide/plugin/security.html 
> for 
> > liveconnect security. The two conditions are:
> > * The origin (URL) of the page is the same as the origin of the applet; 
> > * JavaScript is signed and UniversalBrowserRead permission is enabled for 
> > JavaScript. 

Sorry, I misread the above posting a bit.  Those conditions are 'or'ed.  If 
either condition is met then liveconnect should be allowed.  So this 
liveconnect call should be allowed even by Sun's standards. :)

    
    

    
  
(In reply to comment #50)
> Applets can only phone home. They cannot connect to any host. 
No, signed applets can phone *everywhere*.
 
> They're our files.  They're on our servers.
If they are on your servers, why do they come from the different domain? Mozilla
can deal with with home.a.com and mail.a.com, but you can't expect mozilla will
think home.a.com & home.b.com are from one organization.
 


    
    

    
  
I think you've misread the defect.  They do NOT come from a different 
domains.  They come from exactly the SAME domain.  We just license the 2 
pieces of our technology to websites around the world.  They deploy it on 
their pages.  Somehow you're assuming that the mere fact that we license it to 
them makes it their technology.  It isn't.  They're merely including our 
technology on their html pages.  The src of the javascript and the codebase of 
the jar are both pointing to our domains.  

The wrapper.js file comes from a <script src=http://home.a.com></script>.  The 
jar file has codebase=http://home.a.com.  They're on our servers. They are 
both our files.  They are the same domain.  
Now we license this technology to sites which of course are not a.com.  The 
site puts a 'tag' on their page which includes the script src shown above.  
The wrapper.js file then dynamically writes in the the <applet> tag which 
again is pointing (i.e. codebase) to home.a.com (i.e. our server!).  However, 
we've licensed our technolgy to a website called home.b.com.  That doesn't 
mean that the script is 'owned' by b.com.  It's still coming from a.com.  
b.com pays us a fee for using our technology.  These files are on our servers, 
not on their servers.  Their servers merely contain a 'reference' to our 
files!  There is a difference!  They're just pulling the javascript file from 
our server.  The javascript then pulls the jar file (i.e. by writing the 
applet tag into their page)once again from our server (i.e. codebase is the 
same domain as the script src). Why is Sun not allowing 2 files from our 
server to talk to each other????? The mere fact that we licensed the 2 files 
to a website doesn't mean that it is their technology.  It is ours.  Let our 
files talk to each other.  Why is this so hard to understand?
The .jar file and the .js file both come from our servers.  They are both just 
referenced from another site's html.  Is this clear now?  If it's not, please, 
let's talk on the phone or something.  This is a crucial distinction.  Email 
me with your contact information and we can talk directly.

    
    

    
  
Hey listen, I don't think the problem is with Sun. It appears (at least to me) 
to be a netscape issue.  We don't experience this issue with any browser other 
than netscape 6/7/mozilla.  This appears to be (from an outsider's standpoint) 
a problem with netscape getting too carried away with security.  I guess I'm 
getting frustrated that this problem is still unresolved after 2 years now.  
thanks everyone!  I hope we're getting closer to finally resolving this. :)



    
    

    
  
Okay, please calm down. I'm sorry that I've misread this bug. By reading the
comment 0 more carefully, I understand what it complains is that a webpage from
b.com refer to a js file from a.com like: <script src="http://a.com/foo.js">.
But the origin of foo.js is b.com instead of a.com which is expected by
everybody. (Maybe we should make the summary more clear.)

Obviously, how to determine the js's origin is nothing related to Java. Please
don't blame Sun at this point.

    
    

    
  
(In reply to comment #54)
> Hey listen, I don't think the problem is with Sun. It appears (at least to me) 
> to be a netscape issue.  We don't experience this issue with any browser other 
> than netscape 6/7/mozilla.  This appears to be (from an outsider's standpoint) 
> a problem with netscape getting too carried away with security.  I guess I'm 
> getting frustrated that this problem is still unresolved after 2 years now.  
> thanks everyone!  I hope we're getting closer to finally resolving this. :)
> 
> 
I have to agree that it is definitely a browser issue and not the plugin, but it
goes beyond home.a.com vs. home.b.com. In our situation, if the host name s are
different but on the same domain (such as caller=home.a.com and
callee=home20.a.com), the error persists.


    
    

    
  
(In reply to comment #56)
I have to agree that it is definitely a browser issue and not the plugin, but it
goes beyond home.a.com vs. home.b.com. In our situation, if the host name s are
different but on the same domain (such as caller=home.a.com and
callee=home20.a.com), the error persists.

-> something to add on scott's commnent here .. the problem is reproducable, 
even on the same computer (same host, same domain), but when using different 
ports.



    
    

    
  
re comment 22 and all following comments which are confused:

in web browsers scripts are tied to the html document that owns them. otherwise
i could import a script from http://payroll.internal/basic.js and call a
function on it to change your mailing address to mine.

the protection is not between js files, it's between frames/windows. a window
from www.a.com generally can't access a window from www.b.com, even if www.a.com
stole code from www.b.com.
Whiteboard: LiveConnect [bugscape 19520][need info] → LiveConnect [bugscape 19520][need info] INVALID

    
    

    
  
(In reply to comment #58)
> in web browsers scripts are tied to the html document that owns them. 

I hate to say it but he's absolutely correct. Elements on the HTML
page are able to call JavaScript functions from the included .js
file no matter where it comes from. It stands to reason that 
JavaScript to Java communications would be restricted in this 
situation. The fact that this currently works in other browsers
just means that those other browsers have flawed security models
and it is something that they will probably eventually "fix".
There are probably going to be a lot of web "applications" that
break when this happens.

    
    

    
  
I agree with the last two comments, but then I had a lot to do with the security
model for JS, include <script src=...>.

But this bug is 4xp -- what specifically doesn't work in Mozilla, that did work
in Netscape 4.x?  It should never have been the case in 4.x that nesting <script
src=bar.com/baz.js> in foo.com/blargh.html gives foo.com the ability to run code
as if it were bar.com.

/be

    
    

    
  
I disagree.  This is not a flawed security model.  This is just the way that 
the Internet works.  People share innovations that other people develop.  In 
order to develop powerful products over trivial 'spinning globes', companies 
have to combine the power of Java, JavaScript, Active-X, DHTML, etc.
The fact that my company has licensed our technology to a website to deploy on 
their websites means that a) there is mutual trust between the parties and 
very likely contractual relationships ensuring protections where needed  and 
b) that if I think that there is a risk that the website that I've license the 
technology to could potentially do harm to my technology, it is my 
responsibility to build in protection into my code.
There is NOT any possibility of doing harm to the user. Only possibility of a 
rogue website doing harm to my technology by calling my javascript functions 
in inappropriate ways that my company would not want them to do.  We have 
built in protections for that and we of course have restrictions that rogue 
websites cannot just paste an <script src> of our technology on our website 
and have them use it (i.e. steal our technology).
There is no user level security danger here.  Only possible danger is between 
the website and the technology vendor.  I don't think that it is the 
responsibility of the web browser to restrict commercialization opportunities 
on the Internet over faulty thoughts on security protections.
Hope that clears it up.

    
    

    
  
(In reply to comment #61)

Hi folks,

My site is also experiencing problems due to this issue. I'd like to explain
what precisely we're doing so there's a clear idea of what should and should not
break.

I run a free Internet chat service. To add our chat room applet to a page, users
insert something like the following into their page:

<script src="http://ourserver/jsgen.cgi"></script>
<script>
// set various options here
go(options_array);
</script>

The script then uses document.write to insert the applet onto the page. This
works very well.

The problem is that our applet has a few public JS methods. Mozilla will not
allow the user's page to work with the applet via JavaScript (e.g. telling it to
detatch from the page, etc). This works without any problems on IE.


Thanks for your time, all. I hope this provides a scenario where the page has a
legitimate need to work with the applet.

    
    

    
  
Why is the security model between included javascript files and included 
applets different? With javascript files, they essentially become part of the 
page. By this, I mean the page can call any methods and/or use any data on the 
included javascript file regardless of origin.

With an applet, why would the same not apply? If I decide as the web page 
creator to include an applet on my page, why can I not "talk" to that applet? 
It's not like I can force my applet onto your page. And just because my applet 
is on the page doesn't mean it can talk to your server. 

The applet can only talk back to the server it came from... that makes total 
sense. But for the web page to not be able to talk to an applet it has 
included doesn't. Apparently browser makers prior to NS/Mozilla 6.x,7.x 
understood this. Applets become much less useful if all they can do is be 
viewed and not interacted with by the web page. This issue is preventing our 
software from being used by several clients on the latest versions of Netscape 
and Mozilla, and we thus have to live with NS 4.x for that much longer. If we 
can finally put this bug to rest, maybe NS 4.x can be put to rest as well. (I 
can't imagine anyone would object to that.)

    
    

    
  
(In reply to comment #63)
> Why is the security model between included javascript files and included 
> applets different? With javascript files, they essentially become part of the 
> page. By this, I mean the page can call any methods and/or use any data on the 
> included javascript file regardless of origin.

I actually question why this is even allowed. However, there are limits
to what JavaScript can do so it isn't as much of a problem.

> With an applet, why would the same not apply? If I decide as the web page 
> creator to include an applet on my page, why can I not "talk" to that applet? 
> It's not like I can force my applet onto your page. And just because my applet 
> is on the page doesn't mean it can talk to your server. 

If you are creating the web page, why can the applet not exist on your
web server as well. I realize this breaks the way your system works. My
point is that the way we are building these systems is flawed and I
don't think it even follows what Sun recommends.

> The applet can only talk back to the server it came from... that makes total 
> sense. But for the web page to not be able to talk to an applet it has 
> included doesn't. Apparently browser makers prior to NS/Mozilla 6.x,7.x 
> understood this. Applets become much less useful if all they can do is be 
> viewed and not interacted with by the web page. This issue is preventing our 
[...]

What if someone unethical makes a page that includes your applet and
causes it to do evil things. What recourse would you have? What if this
is crafted into the next email trojan that goes around? What if your 
applet handled monetary transactions? To me, this is similar to a lot
of the other web browser security problems we've seen lately...It's
just waiting to be exploited somehow if it hasn't been already.

I don't think this argument should even be happening. Someone should be
able to point to an authoritative source and describe the proper behavior.
Just because things used to work a certain way does not mean it was
correct. Can someone get Sun's official position on this? This is something
that the entire community of Web developers needs to have addressed.

    
    

    
  
>> page. By this, I mean the page can call any methods and/or use any data on
>> the included javascript file regardless of origin.
>
> I actually question why this is even allowed.

What's the point of questioning it?  It has been supported since Netscape 3.0. 
It's also useful for sharing common scripts; there is no point in allowing
foo.com to include script from bar.org if it can't use it (i.e., call its
functions, get and set its variables).

Finer grained control may be wanted, and was provided in the past via export and
import (not standardized via ECMA, now removed from SpiderMonkey).  But saying
you want finer control is not the same as questioning why it's allowed to use
another domain's scripts.

Are you concerned about "stealing"?  If bar.org puts useful script in a .js file
served with the right MIME type to the world, why shouldn't foo.com use it, if
it is deemed safe and useful?  Of course, usually the sharing is more intimate
in the DNS: scripts.yahoo.com and my.yahoo.com, e.g. (made-up example based on
real ones).

> However, there are limits
> to what JavaScript can do so it isn't as much of a problem.

What would the problem be if JS could do more?  Are you concerned that foo.com
is using bar.org's scripts without studying them for Trojans, etc.?  _Caveat
emptor_ applies to any public content on the web.  In practice, people use
scripts in .js files of their own, or bought from a DHTML library vendor, or
used freely from an open source project (e.g., jslib.mozdev.org) whose
reputation is good.

In any of these cases, where the shared scripts are deployed relative to
including pages is independent in general from who wrote or purveyed them, and
independent from the domains of the including pages.

> If you are creating the web page, why can the applet not exist on your
> web server as well. 

Why *must* the applet be copied to the same server as the page (which seems to
be what you propose -- not *may* but must)?  What are you trying to achieve by
that, other than forcing people to make lots of gratuitous copies, creating more
maintenance work and hazards, and taking up more disk space?

Sun may be the authority on Java, but web page object or applet embedding and
the security models used by browsers are the provenance of the w3c.

Alas, I do not believe that the w3c has ever specified the _de facto_ standard
here.  But there *are* _de facto_ standards, and every browser vendor has to
implement them.  Don't be so quick to dismiss "what was done in the past";
compatibility with what actually worked, and what is still deployed, matters to
a lot of businesses who have sunk costs here.

This bug is not the place to debate "what if" and "might have been", or "I would
have done it differently."  This bug is a 4xp compatibility bug (also an IE and
no doubt a Safari bug once its LiveConnect support ships bug).  We should fix it
without lots of digressive comments.

/be

    
    

    
  
(In reply to comment #65)
> What would the problem be if JS could do more?  Are you concerned that foo.com
> is using bar.org's scripts without studying them for Trojans, etc.?  _Caveat
> emptor_ applies to any public content on the web.  In practice, people use
> scripts in .js files of their own, or bought from a DHTML library vendor, or
> used freely from an open source project (e.g., jslib.mozdev.org) whose
> reputation is good.

I'm talking about protecting the people browsing web sites, not the
developers. How does "Caveat emptor" apply to me when I am clicking
on a link to a site I have never seen before? There have been many
problems with "cross-site scripting" lately. "Pop-up blocking" in
Mozilla is a response to one unanticipated missuse of JavaScript.
I have to assume there may be somebody reading this that has built 
their business based on JavaScript pop-ups advertising...

> Sun may be the authority on Java, but web page object or applet embedding and
> the security models used by browsers are the provenance of the w3c.
> 
> Alas, I do not believe that the w3c has ever specified the _de facto_ standard
> here.  But there *are* _de facto_ standards, and every browser vendor has to
> implement them.  Don't be so quick to dismiss "what was done in the past";
> compatibility with what actually worked, and what is still deployed, matters
> to a lot of businesses who have sunk costs here.

I only suggest that we try to do it the "right" way. If there is nothing
authoritative that describes the proper functionality, then who is to say
that it cannot be written now? In any case I think that the answer should
come from someone like the W3C.

    
    

    
  
Roger, take it to a newsgroup, you are spamming this bug.  Cross-site scripting
holes in other browsers, and pop-up window abuse, have *nothing* to do with this
bug (and seeking an authority to worship at the expense of _de facto_ standards
actually implemented by most browsers is a fallacy).  You're abusing your
bugzilla privileges; please stop.

/be

    
    

    
  
As far as I can tell from searching my memory and reading MozillaClassic code
via http://lxr.mozilla.org/classic/, the 4.x codebase would not associate
transcluded scripts with their source domain when computing principals -- they
are run as if they came from their including script's domain.

E.g., http://a.com/ uses a <script src="b.com/c.js"> tag -- the script in c.js
runs as if it came from a.com.

That says that in 4.x, there was no check done by the Java plugin; or that such
a check used some other means, such as that proposed by beard in comment 36, to
allow the access.  Can someone from Sun say which it was?  It would help to know
what the motivation was for changing things from the way they worked in 4.x.

/be

    
    

    
  
For the non-cross-frame case at issue:
http://developer.netscape.com/docs/manuals/communicator/jssec/index.html

may be relevant for 4.x. My brain understood this once. Isn't 4.x signed script
security a matter of JAR files holding permissions? No jar file, no codebase
permission. For permission, do this:

<script id="foo" archive="http://any.com/perms.jar" src="in_the_archive/foo.js" />

Don't compare src= URLs, compare archive= permissions. The URL of the script is
irrelevant, only permissions matter. id= is/was required to name the signed code
so that it could be tracked for codebase-principle checks. Therefore, in 4.x,
with no id, no permission is granted, even if a JAR file is supplied correctly
with archive=. With all those things missing, permission denied is/was certainly
the case.

When permission was GRANTED, further nastiness assured that NAMED COLLECTIONS of
scripts on a given page had shared access to each other. Such collections were
mutually exclusive.

- N. (sole living possessor of "Instant JavaScript" ;-).

    
    

    
  
re comment 68,

The origin-check was introduced by bug 45692. A new method - GetOrigin was added
in nsCSecurityContext, see
http://lxr.mozilla.org/seamonkey/source/modules/oji/src/nsCSecurityContext.cpp#116
Java plugin is relying on this method to compare the origins.

now the problem becomes: what is an applet's origin?

Use the same example Brendan just gave, http://a.com uses 
<applet codebase="http://b.com" code="test">. I personally agree to use
http://a.com as the origin of the applet instead of http://b.com which is
currently used in java plugin. 

I'm wondering what is the standards of the js/applet origin's definition?

    
    

    
  
In my opinion, the applet's origin must be taken in context. When talking back 
to the origin that it came from (i.e. what servers it can open a connection 
to), it is being done correctly now. If the codebase of the applet is b.com, 
then that is its origin. That is the only SERVER it should be allowed to talk 
to. Any SERVER other than the one that served it could be a security concern. 

Where there is an issue is on the CLIENT side. If I as a web page creator 
include an applet on my page, I should be able to talk to it on the CLIENT no 
matter what the origin. Just as a javascript include can come from any origin 
and still be usable, an applet should be as well. If I can't talk to the 
applet on the client side, then what is the point of even including it? We are 
then limiting the usefulness of applets to only things that can be fully self 
contained in the applet (spinning globes, etc). 

I guess its a matter of how you see applets. If you see them as nothing more 
than fancy images and eye candy, then not being allowed to talk to them is 
fine. If you see them as business objects that can provide services across 
vendors (or even services within a single vendor in a highly scalable 
environment where load balancing and sound application design cause different 
services to come from different physical machines), then this bug is a glaring 
issue that prevents integration with third parties and/or creation of highly 
scalable systems.

If the decision is that the former should hold, then that makes Mozilla and 
NS6/7 only useful to the eye candy folks, and not useful in a business 
environment. Unfortunately, that would leave businesses with the far more 
buggy NS4.x as the only viable alternative to Internet Explorer.

    
    

    
  
This bug prevents us from certifying one of our products at Oracle on Netscape
7/Mozilla/Firefox. If new security restrictions are added, there should be a way
to disable them so that Netscape is backward compatible.  We would like to move
users from Netscape 4.x but cannot because of this issue.  If you would like
more details, please feel free to contact me.  

I would also like an update on when this bug will be resolved. Thank you.

    
    

    
  
Re: comment 69 -- this 4xp bug has nothing to do with signed scripts.

Re: comment 70 -- so Jeff Dyer implemented "LiveConnect security" in a way
that's incompatible with 4.x.  That seems like a bug.  My name was invoked in
that bug (bug 45692 comment 12, "In response to brendan's comments"), but I
don't see my comments.  Anyway, that was a long time ago -- it's hard to justify
the way the code works, and doesn't work, based on that bug.

We should fix this 4xp bug.  I'll propose a patch today.

Re: comment 72 -- please cc: yourself on bugs for which you wish to receive mail
notifications.  You can adjust your preferences in bugzilla to limit how much
mail you receive.  I've cc'd you on this bug.

/be

    
    

    
  
If our security model protects applets in pages (whether included directly, or
indirectly via <script src=>/document.write) loaded from foo.com from being
accessed by script from evil.org, then I do not see why we need any check of the
kind Jeff Dyer added to LiveConnect several years ago.  That check is redundant
in the case of a malicious script, and its only other effect is to cause this bug.

I think we should turn off the same-origin test that is throwing the exception
reported here.

Proof: if we need that check, then an applet is being accessed in violation of
the same-origin checks done to protect all content in windows loaded from
foo.com from access by scripts from evil.org.  If we have a hole there, it's so
wide that lots of things (form data, link state) are compromised.  We test and
fix security bugs, and no such bug is known.

/be

    
    

    
  
> We should fix this 4xp bug.  I'll propose a patch today.

Brendan, currently, we check the same origin both in mozilla and in java-plugin
code. callee has the responsibility to check it. So we must fix it in both side. 

I'm discussing this issue with JPI team. Hope we can find out an acceptable
solution soon.(In reply to comment #73)


    
    

    
  
> Brendan, currently, we check the same origin both in mozilla and in java-plugin
> code. callee has the responsibility to check it. So we must fix it in both side.

Why must the callee check?  Distrust of the DOM security code in the caller? 
That may be valid as a defense in depth step ("belt and braces/suspenders"), but
the callee must then arrange for backward compatibility, i.e., this bug should
be fixed by having the DOM code (somehow) inform the LiveConnect code that the
applet is being used as an extension to foo.com script, not called directly as
if it came from its home on applet.net.

/be



    
    

    
  
Changing summary and category. Hopefully we can make some progress in 1.7 final.
Assignee: caillon → live-connect
Component: Security: General → Java: Live Connect
QA Contact: chrispetersen → pschwartau
Summary: sun.plugin.liveconnect.OriginNotAllowedException: JavaScript is not from the same origin as the Java code exception, Liveconnect call to the applet, applet codebase written as include javascript and pointing to a different domain → Liveconnect calls fail if applet's codebase is in different domain
Target Milestone: mozilla1.5alpha → mozilla1.7beta

    
  
Blocks: 94474

    
    

    
  
1.7b freezes Tuesday at midnight PST, but any fix here that we want for 1.7final
should be in hand soon, so marking blocking1.7b+.  Kyle, please update this bug
with status as soon as you can.  Thanks,

/be
Flags: blocking1.7b+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch (obsolete)
        — Splinter Review
      

    


  
Let's try this.
Assignee: live-connect → caillon
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 143675 [details] [diff] [review]
Patch

Thoughts?

        Attachment #143675 -
        Flags: superreview?(brendan)

        Attachment #143675 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 143675 [details] [diff] [review]
Patch

- In AutoPushJSContext::AutoPushJSContext():

-    if (aSecuritySupports)
-	 mPushResult = CreatePrincipal(aSecuritySupports, secMan,
getter_AddRefs(principal));

Those two references to aSecuritySupports were the only ones, the argument
could now be removed completely from AutoPushJSContext's ctor. Though we might
want to do that after 1.7b.

- In get_JSPrincipals_from_java_caller_impl():

+    nsCOMPtr<nsIScriptSecurityManager>
secMan(do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv));

Seems like it might be worth caching the security manager in this module now...

That's what I got so far, need more time to think about the rest...

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v2Splinter Review
      

    


  
Fixed whitespace issues, did some really minor cleanup, and added a comment to
nsCSecurityContext::Implies() which should better explain what is going on.

Johnny, yeah I agree with you but let's wait to do those until alpha -- the
security manager could be cached for lots more places than where you noted and
it would make sense to just batch them up into one patch rather do it halfway
here; touching more codepaths than we need to in order to fix this bug.

        Attachment #143675 -
        Attachment is obsolete: true

        Attachment #143684 -
        Flags: superreview?(brendan)

        Attachment #143684 -
        Flags: review?(jst)

        Attachment #143675 -
        Flags: superreview?(brendan)

        Attachment #143675 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 143684 [details] [diff] [review]
Patch v2

sr=me, contingent on jst's review of course.

Thanks for doing this.

/be

        Attachment #143684 -
        Flags: superreview?(brendan) → superreview+

    
    

    
  
Comment on attachment 143684 [details] [diff] [review]
Patch v2

Yeah, we can do the cleanup later.

r=jst

        Attachment #143684 -
        Flags: review?(jst) → review+

    
    

    
  
Comment on attachment 143684 [details] [diff] [review]
Patch v2

Requesting approval: this improves our support for Java applets, by cleaning
out some old and crusted code, and it would be great to get some testing
coverage in beta.

        Attachment #143684 -
        Flags: approval1.7b?

        Attachment #143684 -
        Flags: approval1.7b? → approval1.7b+

    
    

    
  
Fix checked in 03/13/2004 12:52.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Keywords: mozilla1.2
OS: Windows XP → All
Resolution: --- → FIXED

    
    

    
  
Need a followup bug for the long-term fix?

/be

    
    

    
  
*** Bug 94474 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 238015 has been marked as a duplicate of this bug. ***

    
    

    
  
I just downloaded Mozilla 1.7b to check this bug fix. The 
OriginNotAllowedException no longer occurs. However there is now a new security 
exception for applets that open sockets back to the server from which they 
came. 
java.security.AccessControlException: access denied (java.net.SocketPermission 
live01.mediaplatform.com resolve)

The setup under which this occurs is:
1. The html page comes from a.com. 
2. The page embeds an applet from b.com. 
3. The applet tries to open a socket back to b.com, to the exact server that 
served the applet. 
4. The above security exception occurs.

Here is a test link that shows the error 
http://musedev.ivtweb.com/Test/appletfail.htm

Notice that the applet's codebase is live01.mediaplatform.com and it tries to 
open a socket back to live01.mediaplatform.com. This should be an allowed 
behavior of an applet regardless of the url of the page in which the applet 
exists. This page works correctly in both IE and Netscape 4.x.


    
    

    
  
Could you modify the applet's codebase from http://live01.mediaplatform.com/v203
to http://live01.mediaplatform.com and try again?

    
    

    
  
(In reply to comment #92)
> Could you modify the applet's codebase from 
http://live01.mediaplatform.com/v203
> to http://live01.mediaplatform.com and try again?

That same page's applet now has a codebase of http://live01.mediaplatform.com. 
It is still failing. I also tested putting the html page on a server in the 
same domain (although not on the same server). The error still occurred.



    
    

    
  
comment 91 through comment 93 belong in a different bug, please.

/be

    
    

    
  
Why a different bug? The new symptoms are the flip side of this same problem,
our internal requirement that the page and applet be in the same domain. Now
a.com can talk to the b.com applet but it still can't *use* it (assume
non-trivial applet, otherwise it could just be copied to a.com) since the applet
no longer knows its true home.

Unless maybe they should go into the "remove hack" bug 237385 mentioned in
comment 88

    
    

    
  
re comment 95, I'm pretty sure this is a applet or java plugin bug, rather than
a mozilla bug. And bug 237385 can't help on this too.

re comment 93, could you use appletviewer to access the same page? If it is
still failing, the problem should not belong to neither mozilla nor java plugin.
If you send the simplified applet source code or post it in n.p.m.java, I can
help you to find out where the problem is.

    
    

    
  
I downloaded 1.7b and I am also getting this new Security exception. 

  java.security.AccessControlException: access denied 
(java.net.SocketPermission ilearningstage.oracle.com resolve)
at java.security.AccessControlContext.checkPermission
(AccessControlContext.java:270)
at java.security.AccessController.checkPermission(AccessController.java:401)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1042)
at sun.plugin.net.protocol.http.HttpURLConnection.checkPermission
(HttpURLConnection.java:193)
at sun.plugin.net.protocol.http.HttpURLConnection.connect
(HttpURLConnection.java:144)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream
(HttpURLConnection.java:516)


    
    

    
  
(In reply to comment #96)
The applet is not the problem. This applet is confirmed to work in both IE and 
Netscape 4.7 and is currently used in our production environment.

I believe that this issue belongs under the same bug and not as a new bug 
because I believe the code that was modified to fix the 
OriginNotAllowedException created this bug. The reason I say this is that in 
previous Mozilla versions we had a workaround where, by setting DNS entries in 
our HOSTS files, we could trick the applet into working. This workaround was 
not a solution for our customers because we could not ask our customers to 
modify their HOSTS files, but it did clarify the problem for us internally. 
Also, in the previous Mozilla versions, when the HOSTS file was modified we 
were able to make the connection back to the server that served the applet.  In 
the 1.7b release however, this connection is no longer possible. So unless 
there was some other security code that was modified for this release, it seems 
that the most likely conclusion would be that the change made to fix this bug 
has caused new problems.




    
    

    
  
This bug has already been closed. Please file another bug for this regression,
and a *simple* testcase is highly appreciated.

    
    

    
  
I had hoped this would fix my problems with logging on to the Netbank of Danske
Bank (www.danskebank.dk / netbank.danskebank.dk), but with Mozilla 1.7b I get
simelar errors to those described in comment #91 and comment #97.

JavaScript Console:
-------------------
Error: uncaught exception: java.security.PrivilegedActionException:
java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException

Java Console:
-------------
java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException

	at java.security.AccessController.doPrivileged(Native Method)

	at sun.plugin.liveconnect.SecureInvocation$2.run(Unknown Source)

	at java.security.AccessController.doPrivileged(Native Method)

	at sun.plugin.liveconnect.SecureInvocation.CallMethod(Unknown Source)

	at sun.plugin.liveconnect.SecureInvocation.access$300(Unknown Source)

	at sun.plugin.liveconnect.SecureInvocation$CallMethodThread.run(Unknown Source)

Caused by: java.lang.reflect.InvocationTargetException

	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

	at java.lang.reflect.Method.invoke(Unknown Source)

	at sun.plugin.liveconnect.PrivilegedCallMethodAction.run(Unknown Source)

	... 6 more

Caused by: java.security.AccessControlException: access denied
(java.util.PropertyPermission com.ms.sysdir read)

	at java.security.AccessControlContext.checkPermission(Unknown Source)

	at java.security.AccessController.checkPermission(Unknown Source)

	at java.lang.SecurityManager.checkPermission(Unknown Source)

	at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)

	at java.lang.System.getProperty(Unknown Source)

	at Utils.queryDefaultDrive(Utils.java:193)

	at CKeyPath.<init>(CKeyPath.java:26)

	at CDanskeSikkerCtrl.Init(CDanskeSikkerCtrl.java:347)

	at DanskeSikker.Init(DanskeSikker.java:296)

	... 11 more


I'm no Java expert and definetely no LiveConnect expert, but hope this
information is a little help anyway.

If this is problem is another bug now, which bug should I vote for?

Danske Bank is one of scandinavia largest banking concerns, including (among
others) BG Bank which use same netbank system.


    
    

    
  
I created a new bug for the new issue.  I included the related comments from 
this bug.  Please see bug 240323.

    
    

    
  
I work for a software company and this bug is limiting browser support issues
for our financial quote application (popup w/ applets).  Until this bug is fixed
we can not say our app supports Netscape/Mozilla browsing.

This is not a plugin problem.  Our app runs fine on IE under Sun's VM.  Things
go awry when we try to launch the app in Netscape 7.x and Mozilla.  

Our situation: our html pages reset their document.domain values in order to
talk with pages on a different server but with the same domain (pages from
a.b.com and c.b.com reset to b.com).  Unfortunately, the resetting prevents the
pages from talking with our applets, even though our applets originate from the
same server! (Callee (b.com reset from a.b.com) + caller (a.b.com, applet) =
exception.)      

To fix this bug, it seems the browser should compare domain origins not on
easily changeable values (like document.domain) but from immutable facts like if
the JS and JAR files come from the same server (a.b.com and a.b.com), they
should be able to talk, even if document.domain is truncated to its suffix.

Hope this helps and good luck.

Ian

    
    

    
  
The fix of the bug allows the applet to call javascript with different domain
name by undo the same origin check in the browser side. So the fix should works
find with the problem mentioned in the above comment #102. 

Javascript calls Java with different origin will have problem since Java Plug-in
still verify whether they came from the same origin or not. Due to this,
Javascript could be signed with UniversalBrowserRead permission to avoid the
same origin check in plug-in side. 

The reason Sun's JVM works with IE is both browser side and Plug-in side does
not do same origin check since there is some technical difficulty to do this (as
I heard from IE plug-in guy).

    
  
Product: Core → Core Graveyard

    
    

    
  
I.E , Mozilla, Firefox


Thanks

MEDIASHAREiQ Team

https://www.mediashareiq.com/



          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: