Lunascape Support Forum
http://support.lunascape.tv/

Enable/Disable Java Calls Through JavaScript
http://support.lunascape.tv/viewtopic.php?f=25&t=1493
Page 1 of 1

Author:  nosecrets [ Fri Jun 10, 2011 7:17 am ]
Post subject:  Enable/Disable Java Calls Through JavaScript

I'd like to have something like a switch (checkbox) in the Lunascape settings that can enable or disable Java through JavaScript.

I'm not sure if this is possible in the browser or if it is more an engine feature. But the option to switch that on and off would increase security.
IE disables all Java calls from JavaScript since ever for security reason. Current FF does not, earlier versions did -- as far as I can remember.

If Lunascape could add that feature, that would be amazing.

Author:  sarah@Lunascape [ Fri Jun 10, 2011 4:47 pm ]
Post subject:  Re: Enable/Disable Java Calls Through JavaScript

Hi nosecrets,

I'm not sure if this will be exactly the same as your request, but you can on/off Java and Script from the Status bar at the right side bottom of the Lunascape browser. If you don't see the icons, you can go to the Side bar > Settings and right-click on the Status Bar to select "Reset". It will display both icons, and you can enable/disable executing script/java.

Hope this helps,

Author:  nosecrets [ Sat Jun 11, 2011 3:33 pm ]
Post subject:  Re: Enable/Disable Java Calls Through JavaScript

Hi Sarah,

Thanks for your answer.
I already know that I can enable/disable Java/JavaScript. But I do not want to disable them. I'd rather like to have control whether JavaScript is permitted to call Java methods or not.

As you know, Java runs in a virtual environment and has its own security model which creates a relatively protected environment.
Everything that runs in that protected environment should stay in there just for Java. If another application can access that environment, then it's no longer protected and therefore not secure.

JavaScript does not run in a secure environment, therefore JavaScript cannot do things Java can. For example reading and writing files is not possible in JavaScript. If it could write files we lose all and any security. Because any page you open in the internet would then be able to access your computer's file system.

In Firefox it is possible to execute some Java code initiated by JavaScript. That means JavaScript punches a hole into Java's protected environment and now can do things JavaScript should not be able to do. That is a security violation.
In IE that's impossible.

You can test that yourself. The following simple JavaScript code calls Java which then gets the computer's host name and IP address:
Code:
javascript:var addr=java.net.InetAddress.getLocalHost();alert(addr.getHostName()+"\n"+addr.getCanonicalHostName()+"\n"+addr.getHostAddress())
Just enter the code in the address bar (all on one line) and hit return. It may take a few seconds until Java's Virtual Machine has been started.
Gecko then displays the message box, IE does not -- Gecko is insecure, IE is secure.

I'd like to have control over that behaviour.

Author:  sarah@Lunascape [ Mon Jun 20, 2011 7:01 pm ]
Post subject:  Re: Enable/Disable Java Calls Through JavaScript

Hi nosecrets,

I see your point. I'll log it as a feature request.

Regards,

Page 1 of 1 All times are UTC - 8 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/