getCodeBase broken locally in 7 update 25

Mickey Segal java3 at
Wed Jun 19 18:10:50 PDT 2013

This is going to be a big problem for those of us who need to run signed applets locally when there is no internet access, as often occurs at conferences and lecture rooms.  We will have no access to files at the codeBase unless we hard code the path, which is a problem if several people in an organization need to do such demos and each will have a different path depending on their user name.  


I also thought ahead to try what would happen when I was not only running the local version of the applet but doing so without internet access, and noticed that there is a new setting “Java Console | Advanced | Perform certificate revocation checks” that needs to be set to “Do not check” to be able to run with no internet access.  This is in addition to the need on Safari on the Macintosh to turn on the Develop menu and select Disable Local File Restrictions, and the need on Internet Explorer on Windows to set Internet Options | Advanced | Allow active content to run in files on My Computer.


In Java 8 update 94 getCodeBase works fine when run locally.  Is that getting blocked soon too?  The problem is that these updates are rolled in a mandatory way, and one can be at a conference and suddenly find out that an applet is not allowed to run unless the Java version is updated, and the update kills the ability to run the software during a talk.


If 7u25 had been rolled out next week when I need to run a signed applet locally at a conference I would have been pretty upset.


From: Sandeep Konchady [mailto:sandeep.konchady at] 
Sent: Wednesday, June 19, 2013 7:40 PM
To: Mickey Segal
Cc: Java Security
Subject: Re: getCodeBase broken locally in 7 update 25


Hi Mickey,


The issue you are seeing is intended behavior. This was caused because of a vulnerability that was fixed in 7u25 in which which a  getCodeBase call against all local applet/jnlp apps will return null.





-------------- next part --------------
An HTML attachment was scrubbed...

More information about the security-dev mailing list