Chromium Bug with JNLP Launch

[JustAGuy]

Oracle has deprecated Applets and asked people to move to JNLP. Launching a java application using JNLP through Firefox and Internet Explorer works seamlessly - but in Chrome/Chromium, there is a bug.

On IE & Firefox, the JNLP gets automatically launched. On Chrome/Chromium however, it gets downloaded & then you have to open it explicitly. This is not a good user experience.

There are multiple bug entries for this on CRBug.

This is one - https://bugs.chromium.org/p/chromium/issues/detail?id=619933 

 

It creates inconvenience for migration from Applets to JNLP as advised by Oracle.

 

Is there a tentative date/release by which this will be fixed? 

 

rgds

[PhistucK]

Probably never, or so I hope.

You can click on the arrow next to the download slot in the downloads bar and select "Always open files of this type" or something similar.

Chrome does not support automatically launching anything out of the box (perhaps there is a bug at crbug.com, open or closed, to make it launch automatically, I do not know). Letting JNLP open automatically (without having the user approve such a policy once at least) sounds like a security risk to me. After all, JNLP can be malicious, right?

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

[JustAGuy]

On Friday, August 12, 2016 at 7:52:48 PM UTC+5:30, PhistucK wrote:

You can click on the arrow next to the download slot in the downloads bar and select "Always open files of this type" or something similar.

That's the bug. For Jnlp files, this option (Always open files of this type) remains grayed out - you cannot select it.

Now can someone tell me if this is going to be fixed?

 

[PhistucK]

You can search crbug.com for an existing issue and star it. If you cannot find one, file a new issue using the "New issue" link on the same page.

Please, do not add a "+1" or "Me too" or "Confirmed" (or similar) comment. It just wastes the time of Chrome engineers and sends unnecessary e-mails to all of the people who starred the issue.

You can reply with a link to the found or created issue and might get triaged (and fixed) faster.

Thank you.

☆PhistucK

--

[JustAGuy]

On Sunday, August 14, 2016 at 9:39:29 AM UTC+5:30, PhistucK wrote:

You can reply with a link to the found or created issue and might get triaged (and fixed) faster.

There are already multiple bugs for this.   

[PhistucK]

I would not count on it changing. It looks like a deliberate decision -

https://chromium.googlesource.com/chromium/src/+/39841e54180e2583dffa16fbbb9b99fd293821d0

☆PhistucK

--

[JustAGuy]

On Monday, August 15, 2016 at 12:28:45 AM UTC+5:30, PhistucK wrote:

I would not count on it changing. It looks like a deliberate decision -

https://chromium.googlesource.com/chromium/src/+/39841e54180e2583dffa16fbbb9b99fd293821d0

☆PhistucK

This is ridiculous - It needs to change. JNLP is what Oracle recommends for migrating away from Applets. Chrome was the first to stop supporting Applets. Now Chrome doesn't offer a good path for JNLP. Opening the jnlp file everytime is not a good option for a case for non-technical users.

[PhistucK]

Well, it is a dangerous file, it is executable. Most users do not want to execute them, but are tricked into executing them.

☆PhistucK

[JustAGuy]

On Tuesday, August 16, 2016 at 10:44:33 AM UTC+5:30, PhistucK wrote:

Well, it is a dangerous file, it is executable. Most users do not want to execute them, but are tricked into executing them.

Why is firefox allowing it? Why is IE allowing it?  

In either case, it's because the user is making an informed decision by choosing an option. 

Either way, it may a good idea for the developer who is assigned this fix to close the bug as "Won't fix" in case there is no plan to fix this. There are multiple bugs in CRbug for this issue. All of them are just hanging around with users having no idea if it's going to be fixed or not.   

The whole point of Java Web Start is to start Java apps over a browser - that's the whole point of that technology and all other browsers respect that.   

Looks it's time for "Best viewed on Internet Explorer", "Best viewed on Google Chrome" logos on the websites again.   

[PhistucK]

Why has Internet Explorer allowed ActiveX (a security issue since its existence)? Different vendors have different philosophies regarding different matters.

I agree that a decision should be made, though. I am pretty (99%) sure it will be "WontFix", since it was explicitly implemented. I believe a test engineer marked it as "Assigned" because it looks like a regression, but it looks like an intentional regression. Read crbug.com/461858 (which is even officially documented as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1274).

Regarding the security of Java Web Start - see https://bugs.chromium.org/p/chromium/issues/detail?id=92846#c15.

☆PhistucK

[JustAGuy]

The JNLP is a signed application - if it's not signed by a trusted cert it will not run. It shows users a dialog saying who it's signed by & then again asks permission to run. Not allowing it to run makes as much sense as disabling all executables to run on an OS because "security".

[JustAGuy]

Couple of more months have passed & the bugs are as is - not even a comment as to whether they are planning to fix it or not.  

This bug is further compounded by bug 135428. After 100 JNLP files, the 101st one gives a problem - because Chrome has a limit of 100 files of the same name. Our users run our Web based JNLP application 3-4 times a day. So in a month's time - they can no longer run this because the 100 file limit is exhausted. And our users are non-technical - who won't even be able to find the download directory and delete files. We aren't left with any other option now other than blocking Chrome for our application and asking the users to use Firefox or IE. 

[James Whelan]

no you can't

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[James Whelan]

Yeah, but it doesn't even let you click it once and check the always launch option. its grayed out.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.