Signed JavaScript and event handler problem
Foo Man Choo SE
page (similar in concept to ASP and JSP) containing links which, upon
clicking, result in the invocation of an application on the user's own
machine. Since we are using generated HTML, we are forced into
externalizing the JavaScript code to a file so it could be signed
using SignTool and kept in the web servers root along with cert7.db,
etc. A simplified example of the JavaScript file and the generated
HTML is as follows:
// runappnow.js
function runApp(command)
{
if (document.layers && navigator.javaEnabled())
{
netscape.security.PrivilegeManager.enablePrivilege('UniversalExecAccess');
java.lang.Runtime.getRuntime().exec(command);
window.onerror = window.oldOnError;
}
}
*************** Generated HTML ****************
<html>
<head>
<SCRIPT ARCHIVE="FOO.jar" SRC="runappnow.js"> </SCRIPT>
</head>
<body>
<form name="myform">
<input type="text" name="find" value="">
<input type="button" name="b1" value="Run app"
onclick="runApp('notepad c:/autoexec.bat')">
</form>
</body>
</html>
-------------------------------------------
We have used SignTool to sign the runappnow.js file only. We have
verified that the resultant jar file is correct.
The problem is that when we click on the link, we get:
JavaScript Error: uncaught Java exception
netscape/security/ForbiddenTargetException ("User didn't grant the
UniversalExecAccess privilege.")
It appears that the function runApp() is not being resolved correctly
(or appearing as signed properly). Does the onclick="runApp()" need
signing somehow? If so, how, since the HTML is being generated at run
time?
(BTW, if we run the same test using static HTML, it works fine. This,
at least, verifies that we have the signing part working...)
--Rob