> On Dec 20, 2016, at 8:24 AM, Sergey Bylokhov <sergey.bylok...@oracle.com> > wrote: > >>>> If this private data can be loaded to the UIDefaults or to other class >>>> then it will be read anyway. Are the Swing/AWT properties files content >>>> really secret? >>> My point is that there are no secrets, but the bug description states that >>> such bundles can be added some day later. >> But what secret can be here? > > I think Mandy can clarify that.
The API should only allow user code to request adding a resource bundle that is accessible to the user. A private resource bundle in java.desktop that may contain security sensitive information is not intended to be registered in UIDefaults and of course it should be encapsulated. You may think that today there is no security sensitive information but we can’t guarantee until an audit to all resource bundles is done and also continuously for every change is made. Mandy