Posted by alexter
on December 4, 2006 at 9:55 AM PST
This might be a stupid question, but... Why does Web Start refuse to load a jnlp that references a component extension located on another host? The error message is "Multiple hosts referenced in resources"+something about security. Actually these are two questions:
1. What security concern might stand behind that? Even if my application picks up libraries (component extension) from a different host, it still runs in a sandbox, so what's the issue?
2. How does this comply with JNLP spec, which states clearly in section 5.5 ("Untrusted Environment") :The JNLP file can request extensions and JREs from any host. An application cannot make a socket connection back to any of the hosts where JREs or extensions are downloaded from (unless it happens to be the same host as for the JAR files). Extensions requested from hosts other than the one that the JAR files were downloaded from must be signed and trusted as per section 5.4.
That said, I still cannot understand why component extensions are required to be trusted.
Please tell me I'm doing something wrong! Because this behavior is very frustrating. Why not allow widely used components to be hosted in a single place and shared across applications, thus minimizing the download sizes. In this circumstances one has two choices: to either bundle every library with application or always request full-permissions, which makes application unsafe and annoying.
Thanks in advance for any response.
Message was edited by: alexter