javaappletmanifestsigned-applet

Java applet manifest - Allow all Caller-Allowable-Codebase


As of Java 7u45 an applet will display a warning message (even if signed with a trusted cert) if a webpage tries to interact with it via javascript and that page isn't listed in the manifest's Caller-Allowable-Codebase attribute.

Release notes about this change: http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html

Oracle blog post about this bug: https://blogs.oracle.com/java-platform-group/entry/7u45_caller_allowable_codebase_and

Attribute description: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#caller_allowable

I have tried just a wildcard (*), but I still get the warning.

Is there a way around this other than listing all codebases it may run at?

The reason this is a problem for me is that this applet runs on many different machines and networks, but always on intranets at various locations. This applet also needs to communicate with javascript because it talks to local USB scales and displays results and interacts with the page.

Example of warning message

Applet in question: https://github.com/JaggedJax/CIO_Scale


Solution

  • Removing the Trusted-Library attribute seems to be mandatory to get Caller-Allowable-Codebase working, no more warnings. However, this breaks Java 7 Update 21 - 40 which treated JavaScript code that calls code within a signed applet running with all permissions as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library=true attribute.