Java applet manifest - Allow all Caller-Allowable-Codebase
As of Java 7u45 an applet will display a warning message (even if signed with a trusted cert) if a webpage tries to interact with it via javascript and that page isn't listed in the manifest's Caller-Allowable-Codebase attribute.
Release notes about this change: http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html
Oracle blog post about this bug: https://blogs.oracle.com/java-platform-group/entry/7u45_caller_allowable_codebase_and
Attribute description: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#caller_allowable
I have tried just a wildcard (*), but I still get the warning.
Is there a way around this other than listing all codebases it may run at?
The reason this is a problem for me is that this applet runs on many different machines and networks, but always on intranets at various locations. This applet also needs to communicate with javascript because it talks to local USB scales and displays results and interacts with the page.
Applet in question: https://github.com/JaggedJax/CIO_Scale
Answer
My findings are the same:
This prevents warnings with Java 7u21 - 7u40:
Manifest-Version: 1.0
Trusted-Library: true
This exclusivly prevents warnings with Java 7u45:
Manifest-Version: 1.0
Application-Library-Allowable-Codebase: *
Caller-Allowable-Codebase: *
Mixing both won't work in 7u45.
Now what? Did anyone find a way to allow SIGNED applets with "all-permissions" to run without warnings in both JRE-versions?
What the hell is wrong with oracle?