Closed Bug 48319 Opened 25 years ago Closed 24 years ago

Reading signed JAR URLs w/o Cartman fails

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Future

People

(Reporter: security-bugs, Assigned: security-bugs)

References

(
URL
)

Details

(Whiteboard: [nsbeta3-])

Pages loaded form signed JAR URLs fail to load if PSM is not installed. THis should not be the case; obviously we can't verify the signature w/o PSM, but the page should load. A failure in initializing PSMComponent should not halt the page load.
This could create a problem when chrome gets JAR'd. If we ever sign it, it won't be readable if PSM is not installed. Easy to fix. Nominating nsbeta3.
Status: NEW → ASSIGNED
Keywords: nsbeta3
Won't PSM always be installed? That's a workaround. And, why would you want to load it if you can't verify it? Is the user given a notification?
Whiteboard: [nsbeta3-]
It's possible you might want to read a file from a jar and you don't care about the signature because you don't intend to run any scripts. In general, PSM should not be a requirement for things like this if the user doesn't care about cryptographic features. That said, NS6 will have PSM by default, so I'm marking this Future. If it turns out that this breaks jarred chrome, we may have to up the priority.
Target Milestone: --- → Future
My proposed fix for 24765 fixes this (making signature verification lazy).
Depends on: 24765
Integrating jarChannel with the file cache (bug 24765) has eliminated this problem. marking Fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified on Linux 10/3 branch build.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.