Reading signed JAR URLs w/o Cartman fails

VERIFIED FIXED in Future

Status

()

P3
normal
VERIFIED FIXED
18 years ago
18 years ago

People

(Reporter: security-bugs, Assigned: security-bugs)

Tracking

Trunk
Future
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta3-], URL)

Pages loaded form signed JAR URLs fail to load if PSM is not installed. THis
should not be the case; obviously we can't verify the signature w/o PSM, but the
page should load. A failure in initializing PSMComponent should not halt the
page load.
(Assignee)

Comment 1

18 years ago
This could create a problem when chrome gets JAR'd. If we ever sign it, it won't
be readable if PSM is not installed. Easy to fix. Nominating nsbeta3.
Status: NEW → ASSIGNED
Keywords: nsbeta3

Comment 2

18 years ago
Won't PSM always be installed? That's a workaround. And, why would you want to 
load it if you can't verify it? Is the user given a notification?
Whiteboard: [nsbeta3-]
(Assignee)

Comment 3

18 years ago
It's possible you might want to read a file from a jar and you don't care about 
the signature because you don't intend to run any scripts. In general, PSM should 
not be a requirement for things like this if the user doesn't care about 
cryptographic features. 

That said, NS6 will have PSM by default, so I'm marking this Future. If it turns 
out that this breaks jarred chrome, we may have to up the priority.
Target Milestone: --- → Future
(Assignee)

Comment 4

18 years ago
My proposed fix for 24765 fixes this (making signature verification lazy).
Depends on: 24765
(Assignee)

Comment 5

18 years ago
Integrating jarChannel with the file cache (bug 24765) has eliminated this 
problem. marking Fixed.
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 6

18 years ago
Verified on Linux 10/3 branch build.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.