Java applet manifest - Allow all Caller-Allowable-Codebase

Question

As of Java 7u45 an applet will display a warning message (even if signed with a trusted cert) if a webpage tries to interact with it via javascript and that page isn\'t list

Answer 1

I found some strange thing with MANIFEST.MF file in scope of last Java security issue with new attribute "Caller-Allowable-Codebase". I had some issues, why this new attribute wasn't helpful for me and started investigation
(Attention!: it may be related only to my local computer configuration - because I had never seen such troubles over stackoverlow).

Manifest file had been upgraded according to new security feature:

Manifest-Version: 1.0
Application-Library-Allowable-Codebase: *
Caller-Allowable-Codebase: *

and *.jar was build, but without signing.

So, then I unpacked my *.jar file and looked in folder META-INF in MANIFEST.MF, where source manifest.mf should be generated.

And I was embarrassed by absence of last line, it looked this:

Manifest-Version: 1.0
Application-Library-Allowable-Codebase: *

I tested this behavior several times and found out, that last line always was exchanged to the whitespace. So, if it will be helpfull for someone, just append in the end of MANIFEST.MF file some unmeaningful attribute, like Codebase: *, which will be cutted during *.jar build.