JDK-6745455 : Firefox extensions using Java don't work with new Java Plug-In
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 6u10
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2008-09-05
  • Updated: 2013-01-10
  • Resolved: 2009-01-21
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6u12 b02Fixed
Related Reports
Relates :  
JDK-6745485 - Firefox browser crash with "javascript:alert(window.java);"
Relates :  
JDK-6826531 - Add class by default to elevate security in Firefox extensions
Relates :  
JDK-6695751 - Plugin2 returns sun.plugin2.liveconnect.JavaNameSpace instead of the correct JavaClass specified
Relates :  
JDK-6857588 - "java.lang.RuntimePermission createClassLoader" from Firefox 3.5 extension
Description
Firefox extensions that use Java are not working with the new Java Plug-In. There appear to be at least a couple of reasons for this:

  - The URL for such extensions starts with "chrome://", which causes a MalformedURLException when parsed by the URL class when producing the document base for the web page. This is causing some of the initialization code for the applet container to bail out.

  - Based on discussions with Mozilla it appears that the JavaScript in browser extensions is granted full privileges, and the previous OJI implementation of the Java Plug-In was informed of that fact when making JavaScript-to-Java calls. Most browser extensions that use Java rely on these elevated privileges. With the new Java Plug-In we do not have the ability to determine on a call-by-call basis whether additional privileges should be granted. However, it seems we need to figure out some way to do this on a page-by-page basis, or in particular, whether we are running in the context of a browser extension.

There have been a few reports of this problem. One is on the forums at http://forums.java.net/jive/thread.jspa?threadID=45933&tstart=0 . Another way to provoke the first failure is to simply load the URL "javascript:alert(window.java);" in Firefox. An extract from an email exchange on this topic with another (large) test case is attached.
Comments
SUGGESTED FIX webrev: http://sa.sfbay.sun.com/projects/deployment_data/6u12/6745455.0 testcase: http://j2se.east.sun.com/deployment/www/tests/1.6.0_12/6745455/
19-11-2008
EVALUATION Firefox extensions which use Java expect to be able to call from JavaScript to Java from a privileged context. Such extensions come from URLs starting with "chrome://" and the browser displays a security warning before installing such extensions. Therefore for compatibility reasons we grant all permissions to incoming JavaScript calls coming from such URLs.
19-11-2008