On 04/11/2013 04:23 PM, mark.reinh...@oracle.com wrote:
Posted: http://openjdk.java.net/jeps/183
I have a few comments/random thoughts about this. It says:
Security: Will need to be reviewed carefully since this feature does relax the network security model in two ways: No explicit network permission will be required for certain (simple) cross-origin HTTP requests, as defined by CORS. Permissions for other (non simple) requests will be delegated to the server hosting the target resource.
I think this makes a lot of assumptions about the running code and its security environment (in particular it seems to target applets and JWS).
Generally speaking, I think that the model of relaxing client security permissions based on a server resource is quite dangerous, in particular outside of an applet/JWS environment. I think a different model should be looked at that does not involve (effectively) granting HTTP connection privileges based on the server (at least, not always), but instead requires that the permissions already be granted; it would be more secure to use a separate client context which tracks what resources the server has granted access to, while still enforcing the full set of client permissions at all times.
In this case it is the server that should be mistrusted, not the client, since the server is the party which is potentially granting permissions. If you grant an HTTP access permission to a server, you are implicitly giving that server the ability to grant the running code any other HTTP access permission they want.
One thought is that applets/JWS could adopt the Java EE 7 permissions.xml model. This would be a convenient mechanism to give an application access to more than its original permission set, and it would still be possible to authorize the additional permissions with the user before the program is run.
Thanks for listening. -- - DML
