Closed Bug 298202 Opened 19 years ago Closed 19 years ago

java preference ignored depending on java plugin install location


(Core Graveyard :: Java: OJI, defect)

Windows XP
Not set


(Not tracked)



(Reporter: fehe, Assigned: doronr)




(Keywords: fixed1.8)


(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050619 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050619 Firefox/1.0+

If you have javascript enabled but you have java disabled, certain websites can
invoke full java capability via a "malicious" javascript.  This appears to be
the scheme utilized at the linked URL.

Reproducible: Always

Steps to Reproduce:
1. Install Sun JRE 5.0 Update 3
2. Install the latest Deer Park alpha 1 trunk
3. Copy NPJava11.dll, NPJava11.dll, NPJava12.dll, NPJava13.dll, NPJava14.dll,
NPJava32.dll, NPJPI150_03.dll, and NPOJI610.dll, from "C:\Program
Files\Java\jre1.5.0_03\bin" to your Deer Park plugins directory
4. Launch Deer Park
5. Under Tools-->Options, disable both Javascript and Java
6. Visit
7. Notice that Java does not launch (i.e. no icon in the XP system tray)
8. Now go back to Tools-->Options and enable only Javascript (you can also
enable "but disable common annoyances" if you like - it will not make a
difference) but leave Java disabled.
9. Once again, visit
10. This time you should notice that Java has launced, because the Java icon
appears in the XP system tray!
Actual Results:  
Firefox preference for Java is circumvented by the website and full-blow Java
support is enabled.

Expected Results:  
No website should be capable of circumventing firefox preferences and enabling
"ANY" features that the user has intentionally disabled - especially Java! 

My system: Windows XP, SP2 + fully patched with all current XP updates.  My only
firewall is the Windows XP firewall (i.e. no egress or miscellaneous filtering -
Adblock excepted).
Version: unspecified → Trunk
Component: Preferences → Security
QA Contact: preferences → firefox
No action?

You can also use (obviously) JRE 5.0 Update 4, which was just released, to
reproduce this.
I don't believe that it is the site bypassing the preference... rather it is the
preference not being honored when the plugins are placed in either the app's
plugins directory or the plugins directory above the profile directory (e.g.
mozilla/plugins). I know the preference was honored in earlier builds so I
suspect this is a regression. A regression window would be helpful here.
BTW: the preference was honored for me when the java plugins were NOT in app,
etc. and it was honored when they were not located in either of those locations
Confirmed.  It only occurs when the plugins are placed in the Firefox plugins

There was a time when I could not get Java applets to work in Firefox (I believe
earlier than 0.8 ) until I copied the plugins over. Ever since then, that is
what I automatically did with each install.

Now I have verified that applets work without placing those plugins in the
Firefox directory.  Not sure how to proceed from here.
I can confirm this behavior as well. A few notes though:

1) This does not occur on the website   I haven't been
seeking out a ton of test sites due to time constraints though.
2) It should be noted that no actual java code execution takes place. Then
again, the test page in the bug doesn't actually execute any java code even when
you have it properly enabled. Whether or not java code can actually be executed
via this bug, instead of just opening the java console, remains to be thoroughly

HOWEVER, since even the console should not be opening with Java disabled... this
is definitely a bug. It's the severity I'm unsure about.
Ever confirmed: true
Summary: If javascript is enabled, sites can bypass Firefox preferences and enable full java → java preference ignored depending on java plugin install location
Product: Firefox → Core
Component: Security → Plug-ins
Flags: blocking1.8b4?
Flags: blocking1.8b4? → blocking1.8b4+
Johnny, this looks bad. Can you look into it or recommend someone else?
Assignee: nobody → jst
Flags: blocking1.8b4+ → blocking1.8b4?
Flags: blocking1.8b4? → blocking1.8b4+
doron, is this something you could help us investigate? JST is pretty doomed
right now. If not, any ideas who could help out?
This seems to be related to JavaScript calling the Java object, so Java is being
initated by JavaScript (var x = Java.etc) and not via markup.

Note that 1.7 has this behavior as well, so not a regression.  It just seems we
don't honor the preference when the JS Engine invokes the Java object.

I wouldn't call this bad really.
seems to be the code in question, and I defer to shaver.  This is supposed to be
standalone code and all, so someone who knows the engine needs to figure out how
(if at all) we should do this.
What in that file, specifically, do you think is the code in question?  All of
LiveConnect's interaction with the JVM is mediated through the callbacks
installed here:

so if something is not honouring the pref correctly, it'll be elsewhere.

When this is happening, what do we find for the status at
debugger shows status as nsJVMStatus_Enabled.
nsJVMManager::nsJVMManager adds an pref observer, but doesn't actually get the
prev value and call SetJVMEnabled -

Adding that seems to fix the issue for me.  Not sure if that is the right way to go.
Sounds good to me too -- I'll give you the bug as a prize for your detective
work!  Wanna put a patch up?
Assignee: jst → doronr
Component: Plug-ins → Java: OJI
Attached patch proposed patchSplinter Review
Attachment #193188 - Flags: superreview?(shaver)
Comment on attachment 193188 [details] [diff] [review]
proposed patch

If we can't get the pref, we default to...what?  I guess "on", because that's
what we get without that code. sr=shaver
Attachment #193188 - Flags: superreview?(shaver) → superreview+
(In reply to comment #15)
> (From update of attachment 193188 [details] [diff] [review] [edit])
> If we can't get the pref, we default to...what?  I guess "on", because that's
> what we get without that code. sr=shaver

I could call SetJVMEnabled(prefBool) if we couldn't get the prefservice or pref,
since prefBool defaults to true.
Attachment #193188 - Flags: approval1.8b4?
Attachment #193188 - Flags: review?(jst)
Comment on attachment 193188 [details] [diff] [review]
proposed patch

Attachment #193188 - Flags: review?(jst) → review+
Attachment #193188 - Flags: approval1.8b4? → approval1.8b4+
bah. you're duplicating code. i'd prefer you poke Observe and pretend the pref
has changed.
checked into trunk/1.8 branch
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.