Bug ID: 6768136 Malformed 404s cause breakage of Java/JavaScript bridge and browser hangs

6768136 : Malformed 404s cause breakage of Java/JavaScript bridge and browser hangs

Details

Type:	Bug	Submit Date:	2008-11-06
Status:	Resolved	Updated Date:	2010-09-08
Project Name:	JDK	Resolved Date:	2008-11-07
Component:	deploy	OS:	generic
Sub-Component:	plugin	CPU:	generic
Priority:	P2
Resolution:	Fixed
Affected Versions:	6u11
Fixed Versions:	6u11

Related Reports

Sub Tasks

Description

Some web servers are misconfigured and do not return correctly formed 404 errors; the 404 is returned as an HTML page but the status code of the HTTP reply is not set. This causes the Java networking stack to become confused and the Java Plug-In to attempt to define a class with the contents of the 404 HTML page, which causes the JavaScript/Java bridge to break and the browser to hang.

Comments

SUGGESTED FIX

webrev: http://sa.sfbay.sun.com/projects/deployment_data/6u11/6768136.0
testcase: http://j2se.east.sun.com/deployment/www/tests/1.6.0_11/6768136/

2008-11-07

EVALUATION

Some web servers do not return properly formatted 404 HTTP responses,
which can cause the Java networking stack to confuse the HTML page
corresponding to the 404 with the bytes for a class file. This causes
a ClassFormatError to be thrown from deep within the Java Plug-In,
preventing a reply for a JavaScript -> Java call from being sent back
to the web browser and leading to a browser hang.

This issue has been fixed in the following ways:

  - Explicitly catching the ClassFormatError at the point of failure
    in the JavaScript -> Java bridge.

  - Catching all Throwables, not just Exceptions, during attempted
    JavaScript -> Java invocations so that an error reply can be
    returned to the browser for Errors as well as Exceptions.

  - Explicitly disabling the codebase lookup for class loaders created
    for so-called "dummy applets", which implement the "java" and
    "Packages" keywords in the Firefox browser, so that we will not
    make the round-trip to the server for bogus classes such as
    "java.class".

2008-11-07

EVALUATION

see comments.

2008-11-06

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together