Tuesday, June 3rd, 2008

crossdomain.xml, Java, and JNLP

Category: Java

Joshua Marinacci has detailed how Java SE 6 update 10 supports the same crossdomain.xml that Flash supports, and how you can marry it with JNLP to allow you to do Applet mashups without permission dialogs.

The applet security model, known as the sandbox, only lets applets connect to the webserver they were loaded from. They cannot connect to anywhere else unless they are signed. Signing is great when you need access to more than what is allowed inside the sandbox, but it has two problems: the user will receive an ugly warning dialog about the applet, and the applet will have full access to the user’s computer. Full access is overkill when all you want to do is talk to a webservice on another server. Surely there is some middle ground between the sandbox and full access? Well now there is.

The key is supplying a backwards compatible way of tying to the new JNLP version:

  1. <applet code="photostrip.Applet"
  2.            archive="http://projects.joshy.org/demos/PhotoStrip/webstart/PhotoStrip.jar"
  3.            width="400" height="200"
  4.            >
  5.         <param name="jnlp_href" value="http://projects.joshy.org/demos/PhotoStrip/photostrip.jnlp">
  6.         <param name="flickruser" value="31706743@N00"/>
  7.         <param name="size" value="100"/>
  8.         <param name="cols" value="4"/>
  9.         <param name="rows" value="2"/>
  10.     </param></applet>

Now the JNLP file points to the the unsigned jar:

  1. <jnlp spec="1.0+" codebase="" href="">
  2.     <information>
  3.         <title>PhotoStrip</title>
  4.         <vendor>Joshua Marinacci</vendor>
  5.         <offline -allowed />
  6.     </information>
  7.     <resources>
  8.         <j2se version="1.5+" href="http://java.sun.com/products/autodl/j2se" />
  9.         <jar href="unsigned/PhotoStrip.jar" main="true" />
  10.         <!-- Application Resources -->
  11.     </resources>
  12.   <applet -desc
  13.      name="PhotoStrip"
  14.      main-class="photostrip.Applet"
  15.      width="400"
  16.      height="200">
  17.   </applet>
  18. </jnlp>

Note: you should be aware of security issues with open cross domain files.

Posted by Dion Almaer at 8:19 am

2.8 rating from 15 votes


Comments feed TrackBack URI

I think that we need a standard for this type of file and remote mashups.

Comment by Wendelmaques — June 3, 2008

I think there might be better explanations of the potential problems related to crossdomain.xml than that linked. As the author of the article notes in his comments he had a mis-understanding of how crossdomain.xml worked when he wrote the article.

Here’s a better link that explains the problem in a real-world context (an exploit of flickr) and how it was solved.

I personally would love to see techniques for making cross domain communication easier (i.e. possible without a hack) between consenting domains. Yes, I know there are possible problems but we can solve them the same way we solve xss problems – educate the software developers.

Comment by newz2000 — June 3, 2008

Leave a comment

You must be logged in to post a comment.