More Applet errors with 7u45

[Richard Maher]

Hi,

If anyone could shed light on what's causing these errors, and if they
are informational or the root cause of the Applet failure, I would
really appreciate it! From the console log: -

(1)
ui: missing resource: java.util.MissingResourceException: Can't find
resource for bundle com.sun.deploy.resources.Deployment,
key PERF: AppletExecutionRunnable - applet.init() BEGIN ;

This applet is loaded at run-time via <div>.innerHTML="<object>. . ."
No jnlp involved. Look no further than this?

(2)
liveconnect: Security Exception: JavaScript from
http://127.0.0.1/employee_lookup.html attempted to access a resource it
has no rights to. (No pop-up window as in
https://blogs.oracle.com/java-platform-
group/entry/liveconnect_changes_in_7u45)

I have added the following lines to the manifest: -

Application-Name: Tier3Client
Permissions: sandbox
Caller-Allowable-Codebase: *

But I don't see "cache: Read manifest for " till later.

(3)
ui: Pushing modality for applet ID 1 with dialog
tier3Handshake.Tier3LogonAWT
basic: PluginMain.unregisterApplet: 1 from mananger
sun.plugin2.applet.Applet2Manager@8c6afe
ui: plugin2manager.parentwindowDispose

What's happening?

Cheers Richard Maher

 

[Richard Maher]

liveconnect: Security Exception:

Ok, the Liveconnect security exception appears to be the winner
(impacted by time-sensitive errors around the applet tear-down)

I'll come up with a small reproducer to test my suspicions about the
innerHTML run-time dynamic load revealing the bug but can someone say if
this manifest is acceptable from a Caller-Allowable-Codebase perspective: -

Manifest-Version: 1.0
Application-Name: Tier3Client
Permissions: sandbox
Created-By: 1.7.0_21 (Oracle Corporation)
Caller-Allowable-Codebase: * 127.0.0.1


I tried with just the wildcard and the addition of the localhost with no
difference in behaviour. It doesn't seem to matter where I position that
option in my TXT file it always seems to come out last in the MANIFEST.MF.

jar -cfm tier3Client.jar Manifest.txt tier3Client\*.class

Cheers Richard Maher

PS. Is there anyone who doesn't see the sense in
Caller-Allowable-Codebase being a html <param > name and the stupidity
of having it in the Manifest?

 

[Richard Maher]

Ok, the Liveconnect security exception appears to be the winner

Just keeps getting better :-(
https://addons.mozilla.org/en-US/firefox/blocked/p463

So I don't know if it was the browser(s), or the Applet being unsigned,
or the Applet being loaded dynamically at run-time, that caused the new
there-be-dragons pop-up not to be displayed but hosting the web-page in
the same domain as the Applet works-around the problem.

It appears Caller-Allowable-Codebase only works if the Applet is signed
by a certificate authority, but does that help if the web-site was
loaded with http instead of httpS in the first place? And shouldn't
Caller-Allowable-Codebase really be called
Caller-Allowable-DOCUMENTbase? Look if this check ensured that only
script files included in the HTML were from the same domain as the
Applet then this could be brilliant, but it only seems interested in the
unverified parent location :-(

To add insult to injury 9005723 did not make it in this release either.
So you LiveConnect calls still can't pass Java arrays as arguments to
JavaScript functions.

Cheers Richard Maher

 

[Richard Maher]

"Richard Maher" wrote in message
[snip]

Just keeps getting better :-(

Richard, it really *is* time for you to stop flogging that Applet "dead
horse".

SERIOUSLY.

https://bugzilla.mozilla.org/show_bug.cgi?id=914690

Great to see developers with a bit of heart and passion unlike the sad
bags of shit that one finds here (and at Oracle).

JavaFX FTW!

Grow a brain! Do you really think JavaFX is going to a real delousing
shower???

--
And loving it,

-Qu0ll (Rare, not extinct)
_________________________________________________
(e-mail address removed)
[Replace the "SixFour" with numbers to email me]