57 lines
2.4 KiB
Plaintext
57 lines
2.4 KiB
Plaintext
gcjwebplugin is a Firefox plugin for running Java applets. It is now
|
|
included in the libgcj sub-package, though it is not enabled by
|
|
default.
|
|
|
|
GNU Classpath and libgcj's security implementation is under active
|
|
development, but it is not ready to be declared secure. Specifically,
|
|
it cannot run untrusted applets safely.
|
|
|
|
When gcjwebplugin is enabled, it prompts you with a dialog before
|
|
loading an applet. The dialog tells you that a certain URL would like
|
|
to load an applet, and asks if you trust the applet. Be aware though
|
|
that this dialog is mostly informative and doesn't provide much
|
|
protection:
|
|
|
|
- http and DNS can be spoofed meaning that the URL named in the
|
|
warning dialog cannot be trusted
|
|
|
|
- someone could create a browser denial-of-service attack by creating a
|
|
page with hundreds of applet tags, causing gcjwebplugin to create
|
|
warning dialog after warning dialog. The browser would have to be
|
|
closed to eliminate the latest dialog
|
|
|
|
- the whitelist is provided as a convenience, but it is unsafe because a
|
|
domain may change hands from a trusted owner to an untrusted owner.
|
|
If that domain is in the whitelist then the warning dialog will not
|
|
appear when loading the new malicious applet.
|
|
|
|
CURRENTLY GCJWEBPLUGIN RUNS WITH NO SECURITY MANAGER. THIS MEANS THAT
|
|
APPLETS CAN DO ANYTHING A JAVA APPLICATION THAT YOU DOWNLOAD AND RUN
|
|
COULD DO. BE *VERY* CAREFUL WHICH APPLETS YOU RUN. DO NOT USE
|
|
GCJWEBPLUGIN ON YOUR SYSTEM IF YOUR SYSTEM STORES IMPORTANT DATA.
|
|
THIS DATA CAN BE DESTROYED OR STOLEN.
|
|
|
|
The same warning applies to gappletviewer, which also runs with no
|
|
security manager (in fact, gcjwebplugin spawns gappletviewer to do the
|
|
applet loading). When run on the command line, gappletviewer issues a
|
|
warning on startup and asks you if you want to continue.
|
|
|
|
Even considering the risks involved, you may still want to try
|
|
gcjwebplugin. GNU Classpath's AWT and Swing implementations are now
|
|
sufficiently mature that they're able to run many applets deployed on
|
|
the web. If you're interested in trying gcjwebplugin, you can do so
|
|
by creating a symbolic link in ~/.mozilla/plugins like so:
|
|
|
|
ln -s /usr/lib/gcj-4.1.1/libgcjwebplugin.so ~/.mozilla/plugins/
|
|
|
|
Type about:plugins in Firefox's URL bar to confirm that the plugin has
|
|
been loaded. To see gcjwebplugin debugging output, run:
|
|
|
|
firefox -g
|
|
|
|
then at the GDB prompt, type
|
|
|
|
run
|
|
|
|
Please report bugs in Red Hat Bugzilla: http://bugzilla.redhat.com
|