[icedtea-web] Idea - do not start ITW applets automatically
smohammad at redhat.com
Fri Nov 16 09:01:23 PST 2012
On 11/15/2012 03:30 PM, Adam Domurad wrote:
> So in lieu of requests such as  and the potential for unsigned code escaping
> the sandbox (eg, the recent 0day) it could be worth looking into a feature that
> has applets not start automatically, but rather require a user confirmation
> (click?) to begin. Additionally a more strict setting could not allow This could
> be controlled via itweb-settings/environment and distributions might want it as
> the default.
> There should be some way to opt-in normal execution of signed applets based on
> certificate. When an applet's certificates are all opted in, it will start
> automatically. (Note that we do not need to handle mixed signed + unsigned code
> specially, it already requires a confirmation.) Unsigned applets, if we choose
> to allow them being opted in, can be opted in on a full domain name basis.
> The main motivation I have for proposing this feature is that many applet users
> only use a handful of applets, and having other applets automatically start is
> mostly an unnecessary attack surface. I have seen "Disable java in browser, and
> turn it on for any applets you need to use only" giving as advice following the
> 0day, and this would be a superior option.
>  http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1211
I think the idea is great and would be something I would personally make use
of. However, I am unsure as to how worthy this will be, given that Firefox
plans to implement something similar and Chrome already having this
feature. Within Chrome, users can specify which plugins should be activated
using their 'Click to Play' feature. Users can add domains to a list where
they can specify whether to always allow or deny activation of plugins. Of
course, your design will probably include a few more options but I think this
is something to consider looking over. In my opinion, the activation of plugins
should be controlled via browser and not through the plugin itself.
Anyways, if we do choose to implement this feature, as HelpCrypto and Jiri
pointed out, creating a whitelist for normal execution based on domain names
and wild character is also a welcoming approach. I would prefer not initializing
the JVM until the user has clicked to activate if possible.
More information about the distro-pkg-dev