Closed Bug 48319 Opened 24 years ago Closed 24 years ago

Reading signed JAR URLs w/o Cartman fails

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Future

People

(Reporter: security-bugs, Assigned: security-bugs)

References

(
URL
)

Details

(Whiteboard: [nsbeta3-]) 

Pages loaded form signed JAR URLs fail to load if PSM is not installed. THis
should not be the case; obviously we can't verify the signature w/o PSM, but the
page should load. A failure in initializing PSMComponent should not halt the
page load.
This could create a problem when chrome gets JAR'd. If we ever sign it, it won't
be readable if PSM is not installed. Easy to fix. Nominating nsbeta3.
Status: NEW → ASSIGNED
Keywords: nsbeta3
Won't PSM always be installed? That's a workaround. And, why would you want to 
load it if you can't verify it? Is the user given a notification?
Whiteboard: [nsbeta3-]
It's possible you might want to read a file from a jar and you don't care about 
the signature because you don't intend to run any scripts. In general, PSM should 
not be a requirement for things like this if the user doesn't care about 
cryptographic features. 

That said, NS6 will have PSM by default, so I'm marking this Future. If it turns 
out that this breaks jarred chrome, we may have to up the priority.
Target Milestone: --- → Future
My proposed fix for 24765 fixes this (making signature verification lazy).
Depends on: 24765
Integrating jarChannel with the file cache (bug 24765) has eliminated this 
problem. marking Fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified on Linux 10/3 branch build.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.