Java applet manifest - Allow all Caller-Allowable-Codebase

William W picture William W · Oct 16, 2013 · Viewed 39k times · Source

As of Java 7u45 an applet will display a warning message (even if signed with a trusted cert) if a webpage tries to interact with it via javascript and that page isn't listed in the manifest's Caller-Allowable-Codebase attribute.

Release notes about this change: http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html

Oracle blog post about this bug: https://blogs.oracle.com/java-platform-group/entry/7u45_caller_allowable_codebase_and

Attribute description: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#caller_allowable

I have tried just a wildcard (*), but I still get the warning.

Is there a way around this other than listing all codebases it may run at?

The reason this is a problem for me is that this applet runs on many different machines and networks, but always on intranets at various locations. This applet also needs to communicate with javascript because it talks to local USB scales and displays results and interacts with the page.

Example of warning message

Applet in question: https://github.com/JaggedJax/CIO_Scale

Answer

fiffy picture fiffy · Oct 16, 2013

My findings are the same:

This prevents warnings with Java 7u21 - 7u40:

Manifest-Version: 1.0
Trusted-Library: true

This exclusivly prevents warnings with Java 7u45:

Manifest-Version: 1.0
Application-Library-Allowable-Codebase: *
Caller-Allowable-Codebase: *

Mixing both won't work in 7u45.

Now what? Did anyone find a way to allow SIGNED applets with "all-permissions" to run without warnings in both JRE-versions?

What the hell is wrong with oracle?