ITW: networking same origin policy not in sync with Oracle Java 8

[AndreasEhret]

This issue was imported from bugzilla with bugzilla2github

Bugzilla Bug Referenze: 2472

Date: 2015-06-24 14:45:00 +0000
From: Tomas Hoger <>
To: JiriVanek <>
CC: unassigned

Last updated: 2015-09-21 14:51:09 +0000

Comment 10690

Date: 2015-06-24 14:45:03 +0000
From: Tomas Hoger <>

Java same-origin-policy (SOP) has a difference from browser enforced SOP in considering two hosts
as the same origin if they share the same IP address. This behaviour can be found documented in e.g.
Browser Security Handbook:

            https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_Java

            Java applets, ..., roughly follow the basic concept of same-origin checks
            applied to a runtime context derived from the site the applet is downloaded
            from - except that rather unfortunately to many classes of modern websites,
            different host names sharing a single IP address are considered same-origin
            under certain circumstances.

            These traditional same-origin checks evolved in (Oracle) JDK8:

            https://bugs.openjdk.java.net/browse/JDK-8010464
            http://openjdk.java.net/jeps/184
            http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/93a268759ec3
            http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/dd0deeb04933

            Different host names pointing to the same IP are no longer considered same origin by the Oracle JDK8
            browser plugin. Its documentation now says e.g.:

            https://docs.oracle.com/javase/tutorial/deployment/applet/security.html

            They can make network connections to the host and port they came from.
            Protocols must match, and if a domain name is used to load the applet, the
            domain name must be used to connect back to the host, not the IP address.

            ITW, even when used with OpenJDK8 with JEP 184 changes, still enforces the old same IP == same origin
            SOP. It seems it needs to be adjusted to follow the new policy when used with JDK8. The behaviour for
            JDK7 should likely stay unchanged for consistency with Oracle JDK7.

Comment 10691

Date: 2015-06-24 15:01:04 +0000
From: Tomas Hoger <>

Created attachment 1371
SOP test case

            A simple test applet that can be used to test Socket and URLConnection SOP. For testing, I have
            /etc/hosts entry for host1 and host2 both resolving to the same IP address.

            When applet is instructed to connect to host1:80, the result is:

            - Oracle JDK7 and ITW with OpenJDK 7 or 8:

            Socket connection to host1:80 was allowed.

            URLConnection to http://host1:80 was allowed.

            - Oracle JDK8:

            Socket connection to host1:80 was denied:
            java.security.AccessControlException: access denied
            ("java.net.SocketPermission" "host1" "resolve")

            URLConnection to http://host1:80 was allowed.

            When applet is instructed to connect to host2:80, the result is:

            - Oracle JDK7 and ITW with OpenJDK 7 or 8:

            Socket connection to host2:80 was allowed.

            URLConnection to http://host2:80 was allowed.

            - Oracle JDK8:

            Socket connection to host2:80 was denied:
            java.security.AccessControlException: access denied
            ("java.net.SocketPermission" "host2" "resolve")

            URLConnection to http://host2:80 was denied:
            java.security.AccessControlException: access denied
            ("java.net.SocketPermission" "host2:80" "connect,resolve")

Attached file: SOPCheck.java (text/plain, 1789 bytes)
Description: SOP test case

Comment 10692

Date: 2015-06-24 15:02:27 +0000
From: Tomas Hoger <>

Created attachment 1372
HTML page to host the applet attached above

Attached file: index.html (text/plain, 664 bytes)
Description: HTML page to host the applet attached above

Comment 11375

Date: 2015-09-21 05:05:38 +0000
From: JiriVanek <>

Hello. This bug is fixed by itself, when JDK8 is used as runtime jdk for ITW, or not?

            Jdk 7 and older are already deprecated as itw runtime.

Comment 11381

Date: 2015-09-21 11:50:38 +0000
From: Tomas Hoger <>

(In reply to JiriVanek from comment #3)
> Hello. This bug is fixed by itself, when JDK8 is used as runtime jdk for
> ITW, or not?

            I believe this question was already answered in comment 0:

            (In reply to Tomas Hoger from comment #0)
            > ITW, even when used with OpenJDK8 with JEP 184 changes, still enforces the
            > old same IP == same origin SOP. It seems it needs to be adjusted to follow
            > the new policy when used with JDK8. The behaviour for JDK7 should likely
            > stay unchanged for consistency with Oracle JDK7.

            The use of JDK8 does not fix this, which is why this bug report was created in the first place. I just
            re-tested with icedtea-web-1.6.1 from F22. Do you see any different results with some other ITW version?

Comment 11382

Date: 2015-09-21 11:54:36 +0000
From: Tomas Hoger <>

Created attachment 1418
SOP test case

            Updated test case, which makes it possible to specify target host from within applet rather than
            requiring input from the hosting HTML page.

Attached file: SOPCheck.java (text/plain, 3377 bytes)
Description: SOP test case

Comment 11383

Date: 2015-09-21 11:55:18 +0000
From: Tomas Hoger <>

Created attachment 1419
HTML page for the applet

            Updated for the new applet version

Attached file: index.html (text/plain, 1206 bytes)
Description: HTML page for the applet

Comment 11386

Date: 2015-09-21 14:51:09 +0000
From: JiriVanek <>

Sorry for closing. I swap bugs.