Open Bug 1576762 Opened 1 year ago Updated 1 month ago

Improve usability for JNLP and other executables

Categories

(Firefox :: File Handling, enhancement)

enhancement
Not set
normal

Tracking

()

Tracking Status
firefox70 --- affected

People

(Reporter: dveditz, Unassigned)

References

Details

(Keywords: sec-want)

In bug 1392955 we added .jnlp (Java Web Start) to the list of executable files because they trigger the download and execution of arbitrary java code. There were lots of complaints about the usability after this change that we should investigate. There were also claims they weren't an "executable" because they were simply XML data files, but we reject that claim based on the basic intent of the file. Likewise windows .LNK files are "just data" but we treat those as executables also, and they are limited to launching programs already on the user's system which is more limited than a download.

  1. The behavior of nsLocalFile::isExecutable() is quite different between Windows and other platforms. Need to normalize, especially for the case of "data" files that are actually scripts when fed into the appropriate program.

  2. The usability for executable files seems to differ between literal ".exe" files and others. Warning the user of dangers is good and they should all be treated the same.

  3. we should examine whether executable file types like .jnlp have enough built-in protections that we don't need extra warnings. This is, I think, the difference between literal .exe handling and others, for example. However, the .JNLP case protections are signature-based rather than content-based, so an approval for one is essentially letting that site run any arbitrary new code in the future without asking. Obviously not on a "nice" site, but we have to worry about how this can be abused also.

In addition to comment #0, it was observed that if you download a file deemed executable once, then in e.g. Chrome you get a warning on download and/or first open, but after that you're not bothered again, whereas we warn every time you try to open the file from the downloads panel.

Perhaps we could use the same UI as for blocking downloads, like in bug 1068656, but it'd need some design work.

See Also: → 1576616

Kindly note that we had raised bug 1648786 two weeks ago to get the code change reverted once again from Firefox ESR 78.x like we did earlier for Firefox ESR 68.x (bug 1576616 and bug 1392955).

Myself (Oracle) and Donald Smith (Java SE Product management at Oracle) have described in full the current status and long term roadmap for Java 8 and Java Web Start in our latest bug 1648786. We'd highly appreciate further actions being taken on this bug 1576762 to get this issue sorted out in both Firefox Rapid Release and future Firefox ESR major releases. If Mozilla requires any further clarifications from our side concerning the handling of JNLP once Firefox passes it over to our Java Web Start launcher then just let us known.

See Also: → 1664646
You need to log in before you can comment on or make changes to this bug.