Version: (using KDE KDE 3.1.4) Installed from: Compiled From Sources The (non-)existance of the MAYSCRIPT keyword in the APPLET tag specifies whether a Java applet is allowed to access form elements and JavaScript in a web page. If the keyword is absent, the Java applet is not allowed to communicate with JavaScript. konqueror allows communication with JavaScript whether the tag is present or not. This is a potential security risk.
Subject: Re: New: konqueror ignores MAYSCRIPT keyword in APPLET tag On Friday 19 December 2003 09:01, Johannes Martin wrote: > The (non-)existance of the MAYSCRIPT keyword in the APPLET tag specifies > whether a Java applet is allowed to access form elements and JavaScript in > a web page. If the keyword is absent, the Java applet is not allowed to > communicate with JavaScript. > > konqueror allows communication with JavaScript whether the tag is present > or not. This is a potential security risk. How is this a security risk? If someone wants to do bad things with Java, they could just exclude this MAYSCRIPT attribute altogether. If this has to do with embedding other peoples' applets, well, I'm sure there are much worse things that can happen too.
I did not say this was a horrible security risk that will make the world end. The fact that we might not see bad implications at once, does not mean there aren't any. I don't think the MAYSCRIPT keyword was introduced just to annoy browser developers.
This security risk still appears in KDE 3.2.3.
Yes, and what about a bit of standard compliance? The MAYSCRIPT attribute was NEVER defined in any of the HTML specifications (or in other words, it's a third-party extension, probably MS or Netscape, I don't know) and therefore I can't see any reasons why KHTML should implement/support it...Considering the APPLET element is deprecated since HTML 4...
getting rid of unconfirmed bugs and this "problem" definitely exists. In fact MAYSCRIPT even exists (in NS4, for instance).
It looks like there is only one valid intersection between mozilla specs for MAYSCRIPT and W3C HTML standards.... http://www.w3.org/TR/REC-html40/struct/objects.html http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/java_js.html The use of <OBJECT> <PARAM NAME="code" VALUE="XYZApp.class"> <PARAM NAME="codebase" VALUE="html/"> <PARAM NAME="type" VALUE="application/x-java-applet;version=1.3"> <PARAM NAME="MAYSCRIPT" VALUE="true"> </OBJECT> In any case, this is not a security risk, in any case it is another problem for comunication between java and javascript for the web developer.
Does this still apply to Konqueror 4.8.4 or later?
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days, the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please set the bug status as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone!
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone!