###@###.### points out that Java Web Start and the Java Plug-In do not obey the crossdomain.xml directives that have emerged as a new standard for allowing certain web services to be accessed from unsigned code:
"Currently unsigned applications and applets cannot access any resources outside of the domain they were loaded from. This is great for security but makes certain types of applications difficult or impossible to write, such as mashups with the many cool webservices available from Google, Yahoo, etc. All of our competitors (Flash, Silverlight, and AJAX) have support for this. They handle it in one of two ways:
* Allow safe access to webservices using the crossdomain.xml files. This is what Flash and Silverlight do. In brief, if the client app requests a webservice on another domain the Flash environment will first check for some magic xml files on that domain to see if cross site access to particular resources is allowed. If the webservice doesn't allow it then the request is denied. This is what Java should support.
Silverlight 1 did not have support for cross domain scripting, but in Silverlight 2, they have decided to just reuse the crossdomain.xml system from Flash rather than reinventing the wheel. We should do the same since it would allow usnigned Java applications and applets to access existing webservices safely without requiring those webservices to be modified in any way.
General info on cross domain xml files:
Adobe's docs on cross domain xml files.
Microsoft's docs on cross domain xml files
Fixing this will also fix some longstanding problems with the National Weather Service applets:
because these applets attempt to contact http://www.weather.gov/ , which has a crossdomain.xml file.