I have had similar experiences with Netscape 6.2.1 and I concur with Mr. Colling’s post concerning the behavior of Netscape/Mozzila with signed JavaScript and Applets. If there is going to be any serious development to this browser using Java, then the interface between Java and JavaScript via JSObject must be enabled for signed code. Otherwise, I am sure many will be forced to release on IE 5.5/6.0 and NS 4.x. Therefore, I encourage you to consider this as part of basic functionality and not an enhancement.
I would also encourage you to consider the recognition of test certificates generated by Signtool 1.3. Certificates are a great expense to an individual developer and a development cycle can eat up a great deal of the time before expiration. Thank You for reading this post David G.Smaltz If you would like any more information, please email me at [EMAIL PROTECTED] Mitchell Stoltz <[EMAIL PROTECTED]> wrote in message news:<[EMAIL PROTECTED]>... > Lloyd et al, > Unfortunately, Mozilla has some limitations when it comes to > calling a signed applet from signed or unsigned Javascript. Currently, > the JS signature verifier and the java plugin have no way of sharing > signature information, which means that JS calling Java always appears > to the Java plugin to be unsigned. The plugin will always see a > signed/unsigned mix when called from JS, and all privileged operations > will fail. > > Patrick Beard suggested a possible workaround: have the applet create a > new thread and do the privileged operation (file access or whatever) on > that thread. The Java stack-walking should be confined to the new thread > and will not see the "unsigned" JavaScript stack frame. > > Brendan, I had no plans to fix this for Mozilla 1.0 - I believe fixing > exploits should take priority over enabling new functionality at this > point. What's your feeling on this? > -Mitch > > > Lloyd Colling wrote: > > Hi all, > > > > I'm facing a problem with using signed javascript and signed applets > > with the sun java plugin (1.3.1) and Mozilla release build 0.9.8 > > > > We have a frameset consisting of two frames. One frame is dedicated to > > holding an applet. This applet is signed, to enable it to do stuff > > that needs to break out of the applet sandbox. The second frame > > contains the user-interactive elements of the site. Utilising > > javascript and liveconnect, these elements interact with the signed > > applet. > > > > For convenience, let's say we want to do a file open dialog. The > > applet has the method 'public String locateFile()', which launches a > > FileDialog and returns the location of the file selected. In the > > user-interactive frame, we have a form consisting of a textfield and a > > button. The button's onClick method calls the applet's locateFile() > > method and sets the text of the textfield to the value returned. > > > > In order to do all of this, we need both the applets to be signed, and > > for the javascript to be signed. I have tried this, and it fails. > > Below are the attempts I have made, and the setups and results for > > each individual attempt. > > > > Note that in all the attempts where the applet class files are in a > > jar, that jar is signed using the sun jarsigner utility. This is > > because I am using the Sun Java Plugin, which does not understand the > > netscape signing methods. > > > > Attempt 1 > > --------- > > > > Setup: All the html files, javascript files and jar files are > > contained in a netscape-signed jar file. The page with the applet on > > references the applets using a jar file in the same directory (e.g. > > ARCHIVE="myjar.jar"). > > > > Result: The applets are not initialised. On the java console is an > > error stating that the signature block for the jar file could not be > > verified, so the applet could not be initialised. It seems that the > > java plug-in is attempting to verify the outer jar - perhaps the url > > is being given as jar:http://192.168.2.1/netscapejar.jar!/sunjar.jar > > the plugin is cutting off at the exclamation mark? > > > > Attempt 2 > > --------- > > > > Setup: All html and javascript files are in the netscape signed jar. > > The applets are unpacked and placed into the netscape jar. > > > > Result: The applets are not initialised. Again, we have the error > > stating that the signature block for the jar file could not be > > verified. Proof that the sun plugin cannot understand the netscape > > signed jars, any ideas of signing the applet jars with the netscape > > signtool are proved to be futile. > > > > Attempt 3 > > --------- > > > > Setup: All html files and javascript files in the netscape signed jar. > > The applets are held on the same server outside of the netscape jar, > > and are referenced using an absolute reference (e.g. > > ARCHIVE="http://192.168.2.1/applet/sunjar.jar";). > > > > Result: Applet is not loaded or initialised. On java console is an > > Access Denied exception on a Java Socket call to open up the address > > 192.168.2.1. - it seems that the security restrictions are regarding > > the absolute reference as going to a different host and as such are > > disallowing it. > > > > Attempt 4 > > --------- > > > > Setup: Most html and javascript files in the netscape signed jar. The > > page containing the applet tags is placed outside of the netscape jar, > > as are the applet jars. The applet reference is a relative reference > > (e.g. ARCHIVE="../../applet/sunjar.jar") > > > > Result: Applet is loaded and initialised. The button on the > > user-interactive page is clicked, but then nothing happens. Checking > > on the javascript console reveals that the enablePrivilege was not > > granted. This, I think, is because this is now a mixed signed/unsigned > > view, so the security model intervenes and stops the call. > > > > > > I think that these are all the permutations that are not blatantly > > obviously going to fail. Feel free to disagree and suggest other > > options with a good likelihood of working ^_^ > > > > Anyway, from this, I think that one of a number of things could be > > done to resolve the situation: > > > > - an update to the java plugin to handle the > > jar:http://<location>/<jar>!/<sub-jar> url syntax properly > > > > - an update to the java plugin to handle the netscape signing process > > and see those jars as being valid > > > > - an update to mozilla to allow the javascript/html bundles to be > > signed using the jarsigner tool as well / instead of the netscape > > method > > > > - a change so that the java plugin gets a more appropriate host base > > (to enable it to connect to the same host in the same protocol as the > > netscape signed jar is being accessed) > > > > - modify mozilla to use the netscape 4.x signing model... if this is > > chosen then the signtool needs to be re-done, as it seems to want to > > verify the applets referenced on the applet page as well, but fails to > > find them even when given as a relative url. > > > > - enable the netscape 4.x idea of making all scripts given on ssl > > connections signed status... this would remove the need for making the > > netscape-signed jar > > > > > > I think that's about all of it... lol! > > > > If any more information is needed, either reply to the post or reply > > to my email address <[EMAIL PROTECTED]> > > > > Thanks all, > > > > -- > > Lloyd Colling > >
