2 Replies Latest reply: Jan 16, 2013 10:50 PM by 984653 RSS

    Applets without prompting in 1.7.0_11+ - possible or not?

    984653
      Unsigned applets does not need a user prompt to run until 1.7.0_10. By default, they require a user prompt up from 1.7.0_11 now, see http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html.

      What about signed applets - is there any chance to show a "normal" user an correctly signed applet up from 1.7.0_11
      - WITHOUT promting and
      - WITHOUT any administrative modifications (like changing the .java.policy, add certificates and son on) in advance?

      Thanks, Peter.
        • 1. Re: Applets without prompting in 1.7.0_11+ - possible or not?
          950259
          The only way I've found around it is to go(/tell the user) to the Java control panel and set the Security slider back to "Medium".

          This is absolutely mind-boggling as a user process however, was it really the only way to stop the exploit?
          From a service website perspective, an obligatory popup on the default security setting is just not on.

          The criteria for "High" in the Java control panel states:
          "High restrictions for web based Java content that attempts to run on an old version"

          I'm quite happy to use the latest plugin and force the user to update their java, but so far every <EMBED> parameter configuration to explicitly request version 1.7.0.11+ hasn't got rid of the popup on "High" security mode.

          (* Note -- the "remember to allow this application" checkbox does not seem to have any affect on page refresh )

          -Jamie

          Edited by: 947256 on Jan 16, 2013 10:20 AM
          • 2. Re: Applets without prompting in 1.7.0_11+ - possible or not?
            984653
            The only way I've found around it is to go(/tell the user) to the Java control panel and set the Security slider back to "Medium".
            I agree
            This is absolutely mind-boggling as a user process however, was it really the only way to stop the exploit?
            Are applets really so much more unsecure compared to other web content/plugins where NO WARNINGS ARE SHOWN BY DEFAULT? For a "3 billion devices using Java" technology popping up when installing the newest jre I'd expect the opposite. If there are bugs then they should be offensively fixed instead of showing mysterious warnings to end users.
            The criteria for "High" in the Java control panel states: "High restrictions for web based Java content that attempts to run on an old version"
            Interesting, because 1.7.0_11 is the NEWEST version, so either their is a bug (because the warning is shown also in the newest version) or Oracle meanwhile has changed their definition for "High" ?
            I'm quite happy to use the latest plugin and force the user to update their java,
            but so far every <EMBED> parameter configuration to explicitly request version 1.7.0.11+ hasn't got rid of the popup on "High" security mode.
            (* Note -- the "remember to allow this application" checkbox does not seem to have any affect on page refresh )
            Same to me, "remember" does NOT work as well as using the newest jre.

            Are there any other opinions about if it is possible to show an applet in 1.7.0_11+ without requiring user prompts (especially when the applet has been correctly signed and does NOT require other permissions as it would get when running in the default applet sandbox) ?

            -Peter