LiveConnect changes in 7u45
By costlow on Oct 15, 2013
What changed: Users are prompted to confirm a domain when it makes its first LiveConnect call.
How is this different: Previously, LiveConnect calls were allowed by default.
For the first LiveConnect call (per-site), the Java plugin will ask the user if they want to allow interactions from [this domain] to interact with the currently running RIA. This allows the user to confirm known sources (such as the hosting site) and block alternate sources, such as on-page advertising networks or browser plugins. Prompts will displayed when that a web page performs a LiveConnect call. Prompts about LiveConnect cannot be made beforehand because the caller does not exist.
The LiveConnect warning looks like this:
Developers looking to avoid this warning within their applications may use the optional Caller-Allowable-Codebase attribute within their JAR file’s Manifest. The Caller-Allowable-Codebase attribute provides a list of domains that can make LiveConnect calls in to the application. This is different than the optional Codebase attribute, which describes the domains from which JAR files may be loaded, although both use similar syntax.
Manifest-Version: 1.0 Created-By: 1.7.0_45 … Caller-Allowable-Codebase: example.com *.example.net
RIA developers looking to understand which messages will appear as a result of the end-user’s security slider may consult the Rich Internet Deployment Process flowchart. This chart depicts the checks that will be performed on a user’s system, from version-update checks through checking the signature and appropriate Manifest Permissions. The checks are split into two categories: Before your RIA and With your RIA.
Before your RIA:
- Is Java registered in the browser?
- Does a rule exist on the user’s system to whitelist this RIA? (e.g. a Deployment Rule Set)
- Is the user’s Java version at or above the security baseline?
With your RIA:
- Does the RIA have a valid code signature?
- Does the RIA meet requirements of the user’s security slider?
- Are LiveConnect calls from [this domain] allowed?