JDK-6826531 : Add class by default to elevate security in Firefox extensions
  • Type: Enhancement
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 6u10
  • Priority: P5
  • Status: Closed
  • Resolution: Future Project
  • OS: windows_vista
  • CPU: x86
  • Submitted: 2009-04-06
  • Updated: 2011-02-16
  • Resolved: 2009-04-06
Related Reports
Relates :  
JDK-6745455 - Firefox extensions using Java don't work with new Java Plug-In
Description
A DESCRIPTION OF THE REQUEST :
In order to simplify things for Firefox extension developers, could the URLSetPolicy code used in the Java Firefox Extension (which is under a BSD type license--see justification below) or its equivalent be made accessible by default in Firefox, whether through your plugin or by an agreement with Mozilla (perhaps you can have more clout getting something into Mozilla, as most of my previous LiveConnect reports have been ignored)?

(Maybe there could even be some built-in mechanism which avoided the next for reflection to call constructors with arguments, etc., as I recall was necessary when I was more actively working with LiveConnect.)

Thank you

JUSTIFICATION :
There has been a lot of frantic communications and lack of clarity from Firefox extension developers who wanted to use Java in their extensions, and I think this should simplify things.

Such as raised at http://forums.java.net/jive/thread.jspa?threadID=45933 , in order to be able to load JARs and do interesting things in a Firefox extension (which by definition already has elevated privileges, so adding privileges for Java as well should not be harmful and would stand to reason), it is really necessary to be able to elevate Java privileges such as was discussed in the above thread and demonstrated in the Java Firefox Extension at http://simile.mit.edu/wiki/Java_Firefox_Extension (see also https://developer.mozilla.org/en/Java_in_Firefox_Extensions --a wiki page which incidentally I hope Sun may consider watching/updating since many Firefox developers come to that page looking for current answers).

If one cannot use one's own JARs with privileges, it really makes LiveConnect much less meaningful to a Firefox extension developer, and not having to learn this trick / go through the hassle of adding the Java Firefox Extension code for each of their Java-using Firefox extensions should be helpful for many developers just trying to add a little Java to their extensions...


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Use some built-in global or automatically get elevated privileges for JARs/classes one wishes to load in a Firefox extension.
Comments
EVALUATION It doesn't seem like a good idea to incorporate this code into Firefox. More documentation and examples are certainly needed, and perhaps someone can figure out a simpler framework for accessing complex Java code within Firefox extensions. Incorporating this code into Firefox would make it more difficult to evolve it in the future. The Java Plug-In already grants full permission during JavaScript-to-Java calls from Firefox extensions; see 6745455. Very careful thought would need to be given to unilaterally granting even more permissions in this context. With the new Java Plug-In you can use the "new" operator from JavaScript to create new Java objects; certain reflective constructs are no longer needed. I doubt that there is anything we will be able to do to the Java Plug-In to address this RFE. I recommend instead working with the community to come up with simpler frameworks and more up-to-date examples to achieve this goal.
06-04-2009