(no subject)

From: the Pull (iuoi@iou.com)
Date: 09/26/02 

From: the Pull <iuoi@iou.com>
Date: Thu, 26 Sep 2002 09:19:30 GMT

flex wrote:
>
> "the Pull" <iuoi@iou.com> wrote in message news:3D8FE0C9.79312AD7@iou.com...
> > That option should not work. Local is higher than trusted, for one. For
> > another, they were attempted to avoid all potential holes that could
> > use local files.
> >
> >
> >
> > flex wrote:
> > >
> > > "the Pull" <iuoi@iou.com> wrote in message
> news:3D8D3EE5.659165F8@iou.com...
> > > >
> > > >
> > > > Steve wrote:
> > > > >
> > > > > Thanks 'the Pull' for your response. Webstart requires Java 2 and
> > > > > higher. The product I have is totally written in java 1.1 and there
> is
> > > > > a reason why - it is compatiable with most browsers.
> > > >
> > > > Ah, yes, I recall, though we had users upgrade... we simply had to
> > > > use a lot of the latest features. It is a quick download.
> > > >
> > > >
> > > >
> > > > > The most popular
> > > > > browser is IE and its default VM only supports java 1.1, so it
> crucial
> > > > > for me to stay in java 1.1 - to try to support everyone. I have done
> > > > > this so far and only problem I have now is IE's new patch does not
> > > > > allow to redirect to local files.
> > > >
> > > > Right, right. Well, I do not know java so super well, but do know IE
> > > > and the nature of their change... I also know browser security pretty
> > > > well, having found several bugs in them and written some. I know that
> > > > there will not be an easy way to do this using a browser trick. I
> would
> > > > suggest searching for webstart clones... or asking on a java group,
> > > > probably some trick, at worst, asking permission from the user.
> > > >
> > > >
> > > > >
> > > > > I am not sure if i can clear it up more on my model but I will
> quickly
> > > > > try again. I have a product that is an applet that is composed of
> jar
> > > > > signed file (they are BIG). Now instead of waiting a good amount
> > > > > everytime you want to load the applet (because you have the browser
> > > > > has to redownload), I created an installer that downloads the file
> to
> > > > > your local drive and you can load the applet from there. Everytime
> you
> > > > > visit the applet, the installer checks if you downloaded the files
> > > > > before and if you did, it automatically redirects you to the local
> > > > > html file which loads the applet immediately. If the installer
> detects
> > > > > you never downloaded the files, it downloads them, and redirects you
> > > > > (to load the applet locally).
> > > >
> > > > Yeah, you want it cached, right? And, IE's jvm won't cache it but will
> > > > force a new download, and you don't want that? I would look up "cache
> > > > jar Java" at groups.google.com, without the quotes, myself. This is
> > > > distinctly a java problem, not IE. You don't want to rely on browser
> > > > tricks, imo, and this sounds like a common problem. I know with
> activex
> > > > it won't do this, it registers the activex, and there may be an
> > > > interface to register the jar file if it is enclosed as a cab or
> something
> > > > so IE will check the clsid... but, just not sure. (Though, this does
> > > > sound familiar).
> > > >
> > > >
> > > >
> > > >
> > > > >
> > > > > Thanks again
> > > > > Steve
> > > >
> > > > --
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Sweeper - the file scanner
> > > > http://members.cox.net/osioniusx
> > >
> > > Try adding the path to the trusted sites list in IE Options.
> > >
> > > Flex
> >
> > --
> >
> >
> >
> >
> >
> > Sweeper - the file scanner
> > http://members.cox.net/osioniusx
>
> I realize that local is higher than trusted...but in response to the
> statement
>
> > > > The most popular
> > > > browser is IE and its default VM only supports java 1.1, so it crucial
> > > > for me to stay in java 1.1 - to try to support everyone. I have done
> > > > this so far and only problem I have now is IE's new patch does not
> > > > allow to redirect to local files.
> > >
> perhaps I was not clear... my suggestion is to work around the patch problem
> of not allowing redirect by making the local path a trusted path by
> including it in the IE browser's trusted area ... i.e. adding c:\"local
> path" as a trusted path, just as you would an ftp:"path" or http:"path".
>
> Doesn't this work from the top down?
>
> Flex

I don't know, honestly, something to try. It might work.

I will note that aol has gotten quite a bit of deserved flak for
putting their site into the trusted domain. The issue is generally when
you can bounce off of these pages and circumvent their control.

In fact, I still have an open bug which demonstrates exactly this
kind of thing -- open, I guess because I wasn't able to have it
actually run code in that context. But, it is a pretty scary demonstration
nevertheless.

Le mee see...

http://home.austin.rr.com/wiredgoddess/thepull/

Check out the "Trusted Sites Link" then look at the bottom right hand
corner of the screen to see what security level the pop-up message is
coming from. 

-- 

Sweeper - the file scanner
http://members.cox.net/osioniusx

Quantcast