rpms / gcc

Clone
Source Code
GIT

Files

eln f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 gcc13-test main private-aoliva-gcc-4_1_1-13-branch private-aoliva-gcc-4_1_1-17-branch private-f38-toolchain private-powerpc-ada-branch private-siddhesh-bdostest rawhide rhel-f29-base rhel-f35-base
  1.   f11
  2.   README.libgcjwebplugin.so
Blob Blame History Raw 
gcjwebplugin is a Firefox plugin for running Java applets.  It is now
included in the libgcj sub-package, though it is not enabled by
default.

GNU Classpath and libgcj's security implementation is under active
development, but it is not ready to be declared secure.  Specifically,
it cannot run untrusted applets safely.

When gcjwebplugin is enabled, it prompts you with a dialog before
loading an applet.  The dialog tells you that a certain URL would like
to load an applet, and asks if you trust the applet.  Be aware though
that this dialog is mostly informative and doesn't provide much
protection:

- http and DNS can be spoofed meaning that the URL named in the
  warning dialog cannot be trusted

- someone could create a browser denial-of-service attack by creating a
  page with hundreds of applet tags, causing gcjwebplugin to create
  warning dialog after warning dialog.  The browser would have to be
  closed to eliminate the latest dialog

- the whitelist is provided as a convenience, but it is unsafe because a
  domain may change hands from a trusted owner to an untrusted owner.
  If that domain is in the whitelist then the warning dialog will not
  appear when loading the new malicious applet.

CURRENTLY GCJWEBPLUGIN RUNS WITH NO SECURITY MANAGER.  THIS MEANS THAT
APPLETS CAN DO ANYTHING A JAVA APPLICATION THAT YOU DOWNLOAD AND RUN
COULD DO.  BE *VERY* CAREFUL WHICH APPLETS YOU RUN.  DO NOT USE
GCJWEBPLUGIN ON YOUR SYSTEM IF YOUR SYSTEM STORES IMPORTANT DATA.
THIS DATA CAN BE DESTROYED OR STOLEN.

The same warning applies to gappletviewer, which also runs with no
security manager (in fact, gcjwebplugin spawns gappletviewer to do the
applet loading).  When run on the command line, gappletviewer issues a
warning on startup and asks you if you want to continue.

Even considering the risks involved, you may still want to try
gcjwebplugin.  GNU Classpath's AWT and Swing implementations are now
sufficiently mature that they're able to run many applets deployed on
the web.  If you're interested in trying gcjwebplugin, you can do so
by creating a symbolic link in ~/.mozilla/plugins like so:

ln -s /usr/lib/gcj-@VERSION@/libgcjwebplugin.so ~/.mozilla/plugins/

Type about:plugins in Firefox's URL bar to confirm that the plugin has
been loaded.  To see gcjwebplugin debugging output, run:

firefox -g

then at the GDB prompt, type

run

Please report bugs in Red Hat Bugzilla: http://bugzilla.redhat.com
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.