JDK-5081700 : Java Plug-In no longer supports 'javascript:' URLs after MS Hotfix 867801
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 1.4.2,1.4.2_05
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2004-08-02
  • Updated: 2005-02-10
  • Resolved: 2004-10-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6
1.4.2_07Fixed 6Fixed
Related Reports
Relates :  
Description
synopsis:    Java Plug-In no longer supports 'javascript:' URLs after MS Hotfix 86780
description: FULL PRODUCT VERSION :
Applies to 1.4.2 and all recent (if not all period) JPIs.

ADDITIONAL OS VERSION INFORMATION :
Applies to any Microsoft OS to which the given hotfix has been applied

EXTRA RELEVANT SYSTEM CONFIGURATION :
See http://support.microsoft.com/?kbid=875345 for more information on Microsoft hotfix 86780.

A DESCRIPTION OF THE PROBLEM :
Microsoft's latest hot fix have broken any of out applets that use the 'javascript:' URL methodology to interact with the HTML document.

We switched to this because of all the problems with the JSObject calls (most particularly in Internet Explorer). It now appears that we are dead in the water with this hotfix.

The Hot fix mentions different calls can be made by the native code to as replacement functionality.  It appears that this means the JRE must change its native code calls for Windows.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Call a JavaScript function (in the enclosing page) from an applet via:

  appletContext.showDocument( 'javascript:...' )

Note this approach does not allow a return value, but that is not an issue in many cases.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The given JavaScript function should be called successfully.
ACTUAL -
Call is prevented by MS hotfix.

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
One might argue that the workaround is to use JSObject, but:

1) JSObject is far less stable than 'javascript:' URL usage and thus is best avoided except when one needs the return value of the JavaScript function.

2) This defeats the generality of treating JavaScript calls as yet another URL type.

Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: 1.4.2_07
11-09-2004

EVALUATION Requires careful understanding of security bulletin and the mentioned workaround to provide the fix in Java Plug-in ###@###.### 2004-08-03 The API AppletContext.showDocument() internally uses DOM API window.open() to perform the operation. With the new hotfix, window.open() doesn't allow JavaScript URL usage. Hence applets using JavaScript URL in showDocument() will fail after the hotfix is applied. ###@###.### 2004-08-05 The MS IE implementation for showDocument has been changed as follows: > window.open( url, _top ); -- < if (url is javascript){ < window.execScript( "window.open(url)" ); < }else{ < window.open( url, _top ); < } ###@###.### 2004-09-10 ----------------------------------------
10-09-2004