Closed Bug 184800 Opened 18 years ago Closed 8 years ago
Misleading Java security-grant dialog
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.1) Gecko/20020929 Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.1) Gecko/20020929 Browser ignores user's directive to deny a signed applet permission to run. This can be seen with a PDA demo on news.com that is implemented as a signed Java applet. Reproducible: Always Steps to Reproduce: How to reproduce: 1. On my platform (platform details above); dunno about other platforms; go to http://www.news.com/ Scroll down to almost the bottom of the page, and look at the _right_ side navigation menu for the section "News Tools". 2. In that section, select the "News by Mobile" link (I'm not giving full URLs because I think their URLs include a unique session ID). 3. In the page that loads ("Tech News To Go") click on "News.com Mobile Demo". A security dialog comes up asking whether or not you want to run the applet signed by RoundPoint. 4. In this dialog, there is a "Deny" choice. Click it. The applet runs and is perfectly functional. Note that for subsequent visits to the page, the security dialog no longer comes up. I am certain I clicked "Deny" and _only_ "Deny" on the dialog. Actual Results: The applet ran with apparent full functionality. Expected Results: The applet should not have run at all. Should have just shown a grayed out panel identifying the screen space allocated for the applet, or even just a generic small "applet here" icon, potentially at the cost of pretty layout, but with the benefit of following the directives of the user. This bug is evil.
addendum: "with apparent full functionality" means it appeared to work fine. It was interactive; buttons worked, could navigate menus up and down, switch pages in the demo screens shown on the PDA portrayed in the applet, could see scrolling news tickers. In other words it was a live Java applet, not just an animated gif stand-in. And it was not flash; I do not have a working flash plugin set up for my browser.
I can confirm that on windows using Mozilla 1.0.2 -- will try trunk next. The permissions dialog shown appears to be generated by Java, not the browser. What version of the JRE are you using? (I've got 1.4.0_01)
Status: UNCONFIRMED → NEW
Ever confirmed: true
This is probably a Sun JRE bug; CCing Joe Chou at Sun.
I think the most likely scenario is that the applet requested some privileged action but appears to run normally even if that privileged action is denied. In this case, the wording of the privilege-grant dialog is misleading, since it says "Do you wish to allow this applet to run?" or somesuch. The other possibility, which is less likely but must be ruled out, is that the Deny button is ignored and the privilege is granted anyway. That would obviously be very bad. I have asked the Sun folks to look into this.
Assignee: mstoltz → joe.chou
I think this applet never attempts to perform any privilieged action. So when you click "Deny" button, the applet will not get any privileged permission, but the applet doesn't need it at all, that is why the applet is still running OK. I don't know why you signed this applet, if the applet don't need any permission to run, there is no difference between the applet run trusted or untrusted. Yes, you will only see the security dialog box once in a session. If you want to see it again, you have to start a new browser session.
Dennis, the wording of the dialog box is misleading. It says "Do you want to install and run signed applet distributed by..." and yet it runs even if the user clicks Deny. I think we need to do one of two things: A) don't run the applet if the user clicks Deny B) Change the dialog to something like "This signed applet has requested enhanced privileges. Do you wish to grant these privileges?"
Reassigning to Dennis. Dennis, please let me know what you think we should do about this bug, or reassign it to the right person if you're not it.
Assignee: joe.chou → dennis.gu
We will change the text in the Security dialog box in order to reflect the accurate meaning of the user action. This will be addressed in JRE 1.5
Great! Thanks, Dennis.
Changing summary and making public; there's no security risk here, although we still want to see the dialog wording changed ASAP.
Summary: Signed Java applet still runs even after user says "Deny" to run request → Misleading Java security-grant dialog
Assignee: dennis.gu → nobody
Component: Security → Java (Oracle)
Product: Core → Plugins
QA Contact: toolkit → oracle-java
Version: Trunk → unspecified
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Why is this bug marked as Resolved Incomplete? Do you need more info/input?
Product: Plugins → Plugins Graveyard
You need to log in before you can comment on or make changes to this bug.