Date: Mon, 12 May 1997 13:34:07 -0700
Message-Id: <199705122034.NAA19053@puffin.eng.sun.com>
From: Marianne Mueller <mrm@eng.sun.com>
To: delaport@ls7.informatik.uni-dortmund.de
Subject: Re: Java-dependant problem
Thanks for your feedback.
> Even if this problem only occurs
> with Netscape, I think it would be
> a good Idea (I mean: for security
> reasons) to make the interpreter
> check the invoked URLs and allow
> only those with a safe protocol.
I believe this is an application-specific policy decision (which
protocols to consider safe), not a VM-level decision.
I don't think you'd want the JVM to be making policy decisions about
which protocols it would honor; rather, you'd want an application,
under control of a policy configuration for that application, to
either allow or not allow certain protocols.
I agree with your concern that as things currently stand, using
JavaScript to call Java (or vice versa) is a security concern.
Marianne