United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-8027405 : Properly configured LiveConnect Applets must work even on JREs below the baseline by default

Details
Type:
Enhancement
Submit Date:
2013-10-28
Status:
Closed
Updated Date:
2014-01-16
Project Name:
JDK
Resolved Date:
2013-11-18
Component:
deploy
OS:
Sub-Component:
plugin
CPU:
Priority:
P2
Resolution:
Fixed
Affected Versions:
7u25,7u40
Fixed Versions:
7u51 (b08)

Related Reports
Backport:
Backport:
Backport:

Sub Tasks

Description
Requirement:

For applets using LiveConnect that:
    - Are properly signed
    - Utilize the permissions attribute
    - Specify caller-allowable-codebase (wildcard or explicit url)

Treat all inbound LiveConnect calls from the allowable codebase(s) as "trusted" even if the current JRE is below the security baseline.

Background

As part of our efforts to secure systems that rely on the Java Plugin we added increased restrictions to the JRE that kick in whenever the JRE falls below the security baseline or expires.  One such restriction is that self-signed and unsigned code can no longer run by default.

LiveConnect calls are always considered ???unsigned??? so even though the applet that handles LiveConnect calls might be properly signed we still treat the application as ???unsigned???.

With the release of 7u45, which drove 7u25 and 7u40 to below the security baseline, calls to LiveConnect ???even to applets that are being properly maintained, signed and with all the new required attributes present (e.g. caller-allowable-codebase is included in the manifest)- are being blocked by default on systems that are not updated to the latest JRE (7u45).   Companies that rely on services provided by LiveConnect applets consumed by users outside of their control are having to ask their end users to update to 7u45 or to lower the security slider for 7u40/7u25 to medium to continue being able to use their services.  

This has already resulted in high-level escalations to which the only answer we can give is you must ???encourage??? your users to update to 7u45, and you will have to do this again with every JRE update that moves the security baseline.

Since we already provide developers with mechanisms for restricting the use of LiveConnect to sites that they trust we can lower the constraints against the use of LiveConnect such that if a developer updates the applet itself with all the required attributes ???for the time being the caller-allowable-attribute, in the future that might include new deployment descriptor- and signs it the applet will be considered ???signed??? even though the JavaScript itself can???t be signed. 

http://oracleplan.oracle.com/goto?ra_=entity&entityType=FEATURE&entityId=1140123
                                    

Comments
Don't know if this requires backport. If the same restrictions that motivated this enhancement were backported to 6 then this needs to be backported
                                     
2013-12-04
We assume the enhancement caused a regression in 7u deploy sandbox:
https://bugs.openjdk.java.net/browse/JDK-8028292

We need evaluation of the JDK-8028292 before the approval to CPU14_01
                                     
2013-11-13



Hardware and Software, Engineered to Work Together