JDK-6768136 : Malformed 404s cause breakage of Java/JavaScript bridge and browser hangs
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 6u11
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2008-11-06
  • Updated: 2010-09-08
  • Resolved: 2008-11-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6u11 b03Fixed
Description
Some web servers are misconfigured and do not return correctly formed 404 errors; the 404 is returned as an HTML page but the status code of the HTTP reply is not set. This causes the Java networking stack to become confused and the Java Plug-In to attempt to define a class with the contents of the 404 HTML page, which causes the JavaScript/Java bridge to break and the browser to hang.
Comments
SUGGESTED FIX webrev: http://sa.sfbay.sun.com/projects/deployment_data/6u11/6768136.0 testcase: http://j2se.east.sun.com/deployment/www/tests/1.6.0_11/6768136/
07-11-2008
EVALUATION Some web servers do not return properly formatted 404 HTTP responses, which can cause the Java networking stack to confuse the HTML page corresponding to the 404 with the bytes for a class file. This causes a ClassFormatError to be thrown from deep within the Java Plug-In, preventing a reply for a JavaScript -> Java call from being sent back to the web browser and leading to a browser hang. This issue has been fixed in the following ways: - Explicitly catching the ClassFormatError at the point of failure in the JavaScript -> Java bridge. - Catching all Throwables, not just Exceptions, during attempted JavaScript -> Java invocations so that an error reply can be returned to the browser for Errors as well as Exceptions. - Explicitly disabling the codebase lookup for class loaders created for so-called "dummy applets", which implement the "java" and "Packages" keywords in the Firefox browser, so that we will not make the round-trip to the server for bogus classes such as "java.class".
07-11-2008
EVALUATION see comments.
06-11-2008