jldubz / jzebra

Automatically exported from code.google.com/p/jzebra
0 stars 0 forks source link

Checkbox to suppress dialog does not appear using HTTPS #189

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
A detailed debug of the applet (hitting 5 as quickly as possible in the Java 
console) may show this:

Missing Application-Library-Allowable-Codebase manifest attribute for: 
http://localhost/qz-print.jar

This is caused when mixing secure and insecure elements in the JNLP/JAR loading 
process.

For example, if your page is hosed at:
https://localhost/sample.html

But your JNLP is pointing to:
http://localhost/qz-print_jnlp.jnlp

Then you will receive this message.  The message is misleading because it 
suggests the JAR is what's missing the HTTPS, but this is because for secure 
websites, you want to be 100% sure the JNLP is being loaded from the same 
location to *help* protect against cross-site JNLP loading.

-Tres

Original issue reported on code.google.com by tres.fin...@gmail.com on 22 Nov 2013 at 1:49

GoogleCodeExporter commented 9 years ago

Original comment by tres.fin...@gmail.com on 22 Nov 2013 at 1:51

Attachments:

GoogleCodeExporter commented 9 years ago
Ok, I've been studying this closely for various clients and I've come across 
another scenario:

It is caused by Java appending a 443 to the end of the domain on secure URLs, 
which breaks it's codebase checks (the slight mismatch makes it believe it is 
hosted by a different website).  This is most certainly a bug with Java but I 
can't pinpoint why it only happens for some users.

There's two work-arounds for this issue.

1.  One is for us to recompile of the plugin using this new attribute:

> Application-Library-Allowable-Codebase *

2.  Another is for the web server to be configured to ALWAYS have the website 
append ":443" to the end of the hostname for secure URLs.  Why this doesn't 
happen for other common ports (:80) I'm not sure.

I plan to add the new attribute in 1.8.0 with the hopes that Oracle doesn't 
change their mind on allowing it.

-Tres

Original comment by tres.fin...@gmail.com on 30 Nov 2013 at 8:29

Attachments:

GoogleCodeExporter commented 9 years ago
Fixed in 1.8.0 by adding Application-Library-Allowable-Codebase: *.

This allows cross-site scripting, so it may be blocked in future Java versions 
without warning from Oracle.

Since printing (generally) has low security risk, I've added a feature that 
blocks malicious file extensions when using printToFile().

Closing and marking as fixed.  Please reopen if needed.

-Tres

Original comment by tres.fin...@gmail.com on 5 Dec 2013 at 3:39