United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6768136 Malformed 404s cause breakage of Java/JavaScript bridge and browser hangs
JDK-6768136 : Malformed 404s cause breakage of Java/JavaScript bridge and browser hangs

Details
Type:
Bug
Submit Date:
2008-11-06
Status:
Resolved
Updated Date:
2010-09-08
Project Name:
JDK
Resolved Date:
2008-11-07
Component:
deploy
OS:
generic
Sub-Component:
plugin
CPU:
generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
6u11
Fixed Versions:
6u11 (b03)

Related Reports

Sub Tasks

Description
Some web servers are misconfigured and do not return correctly formed 404 errors; the 404 is returned as an HTML page but the status code of the HTTP reply is not set. This causes the Java networking stack to become confused and the Java Plug-In to attempt to define a class with the contents of the 404 HTML page, which causes the JavaScript/Java bridge to break and the browser to hang.

                                    

Comments
EVALUATION

see comments.
                                     
2008-11-06
SUGGESTED FIX

webrev: http://sa.sfbay.sun.com/projects/deployment_data/6u11/6768136.0
testcase: http://j2se.east.sun.com/deployment/www/tests/1.6.0_11/6768136/
                                     
2008-11-07
EVALUATION

Some web servers do not return properly formatted 404 HTTP responses,
which can cause the Java networking stack to confuse the HTML page
corresponding to the 404 with the bytes for a class file. This causes
a ClassFormatError to be thrown from deep within the Java Plug-In,
preventing a reply for a JavaScript -> Java call from being sent back
to the web browser and leading to a browser hang.

This issue has been fixed in the following ways:

  - Explicitly catching the ClassFormatError at the point of failure
    in the JavaScript -> Java bridge.

  - Catching all Throwables, not just Exceptions, during attempted
    JavaScript -> Java invocations so that an error reply can be
    returned to the browser for Errors as well as Exceptions.

  - Explicitly disabling the codebase lookup for class loaders created
    for so-called "dummy applets", which implement the "java" and
    "Packages" keywords in the Firefox browser, so that we will not
    make the round-trip to the server for bogus classes such as
    "java.class".
                                     
2008-11-07



Hardware and Software, Engineered to Work Together