Hi Cameron, Cameron McCormack <[EMAIL PROTECTED]> wrote on 03/21/2006 11:56:36 PM:
> If I have a jar file A.jar that contains this single class: > and another, B.jar, that contains another class: > and then reference these from an SVG file: > > <svg xmlns="http://www.w3.org/2000/svg"; > xmlns:xlink="http://www.w3.org/1999/xlink";> > <script xlink:href="A.jar" type="application/java-archive"/> > <script xlink:href="B.jar" type="application/java-archive"/> > </svg> > > I find that B cannot find the A class (in the Class.forName call). Is > this intended? I don't think so. This is probably just because we probably create a classloader for each jar if I had to guess. > When two ECMAScript scripts are referenced, the scripts > can see each other, by virtue of them both running on the same global > object, so I don't know that it would be bad, security-wise, to allow B > to create an A object in this manner. What do you think? I can think of some 'weaknesses' this might introduce but it would require one of the jar files to have been granted extra privileges and to not be expecting an attacker to be using it. Which mostly strikes me as a "don't do that" kind of thing. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
