Tom Hawtin <usenet@[EMAIL PROTECTED]
> writes:
> Applets downloaded from different hosts cannot talk to each
> other.
Probably true, I'll get back to that.
> Likewise, applets downloaded from a different host to the web
> page they are on, cannot communicate with the JavaScript from the
> other host.
Yesterday I proved that false. I was able to make my test work by
having the Javascript (from host 1) call into the applet (from host 2),
then use InvokeLetter to make the desired function execute with the
applet's security policy. By this method, the Javascript from host 1
can make the applet do basically anything the applet is allowed to do,
including network access to the host the applet was loaded from.
The Java applet has no trouble calling the Javascript (provided MAYSCRIPT
is true). No special security considerations were required in that
direction.
I am unsure whether the ability for JavaScript from host 1 to
invoke arbitrary public methods in the applet from host 2 is a security
problem; I haven't yet thought up with any serious threats that it
would enable. On the other hand, this ability is crucial to
my project, so I'm glad it works.
Perhaps the InvokeLater approach might allow applets loaded from
different hosts (by the same HTML page) to interact, though I have not
tried this. If not directly, one applet could (if MAYSCRIPT is true)
invoke JavaScript on the HTML page that could in turn invoke public
methods of the other applet.
> So, either put everything for the page on one host, or use ****t
> forwarding (through your router, if your server sup****ts it something
> like ipfw/ipchains/iptables or a small forwarding server).
We can't easily do that, because the applet MUST reside on a
host with very high internet bandwidth available (for the back end that
the applet communicates with), while the HTML page MUST be able to reside
on a host not of our own choosing. The web server for the HTML page
cannot be in the data path between the applet and the back end server.
In principle, the JavaScript code could be served up by the back end
server where the applet resides, if that was needed to enable the
JavaScript and Java applet to interact. However, I suspect that the
security policies are based on where the HTML came from, not where
separately included JavaScript came from.
Eric
|
