[pve-devel] new vnc 1.2 works fine now with http://fqdn....

Dietmar Maurer dietmar at proxmox.com
Sat Apr 20 16:14:28 CEST 2013


Hi Alexandre,

that really solved the problem - please can you verify:

https://git.proxmox.com/?p=vncterm.git;a=summary

Many thanks for finding this!

Besides, I still do not understand how that improves security.

> -----Original Message-----
> From: Alexandre DERUMIER [mailto:aderumier at odiso.com]
> Sent: Samstag, 20. April 2013 09:03
> To: Dietmar Maurer
> Cc: pve-devel at pve.proxmox.com
> Subject: Re: [pve-devel] new vnc 1.2 works fine now with http://fqdn....
> 
> If I understand, it seem that the problem is that we interact from extjs javascript
> (unsigned code) with vnc java console (signed code).
> 
> Maybe adding "Trusted-Library: true " to VncViewer.jar manifest.mf could help ?
> 
> 
> ----- Mail original -----
> 
> De: "Alexandre DERUMIER" <aderumier at odiso.com>
> À: "Dietmar Maurer" <dietmar at proxmox.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Samedi 20 Avril 2013 08:56:29
> Objet: Re: [pve-devel] new vnc 1.2 works fine now with http://fqdn....
> 
> I found this on the net:
> 
> "
> Java 7 Update 21 was released on April 16 2013 and caused our applet to start
> showing this warning dialog.
> 
> Per the release notes: As of JDK 7u21, JavaScript code that calls code within a
> privileged applet is treated as mixed code and warning dialogs are raised if the
> signed JAR files are not tagged with the Trusted-Library attribute.
> 
> To fix this edit your manifest.mf file and add a line like this:
> 
> Trusted-Library: true
> You should be very careful before doing this though. If your signed applet can be
> called from javascript then a malicious user can potentially do harmful things on
> your users' computers.
> 
> One quick way to secure your applet is to prevent it from being run on other
> websites. Do this by putting code in the init() method that looks at
> getCodeBase().getHost() and throws an exception if it does not match your site.
> "
> 
> ----- Mail original -----
> 
> De: "Dietmar Maurer" <dietmar at proxmox.com>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Vendredi 19 Avril 2013 18:10:12
> Objet: RE: [pve-devel] new vnc 1.2 works fine now with http://fqdn....
> 
> > Oops, sorry, It's work fine after unblock, my vm was not started ;)
> >
> > Don't known why all the code is not signed....
> 
> Our Applet is signed, but seem that oracle does not like our certificate.
> You can even install the CA as trusted CA, does not help.
> 
> But you can set java "Mixed Code" option to
> 
> "hide warning and run with protections"
> 
> IMHO, oracle does not really know what they do.
> I mean, if a user wants to trust in something , why does he need to answer that
> question again and again?
> 
> And why is the code mixed? (I sign the whole applet?)
> 
> Any insights are welcome.
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel



More information about the pve-devel mailing list