Java 7u51/7u55 Manifest Variables with Asterisk

Question

I'm deploying an applet with the next variables in the manifest:

Manifest-Version: 2.0

Ant-Version: Apache Ant 1.8.2

Trusted-Library: true

Permissions: all-permissions

Application-Name: My Applet

Codebase: *

Application-Library-Allowable-Codebase: *

Caller-Allowable-Codebase: *

I was wondering if by using the asterisk in the previous values, my applet (once deployed) can be blacklisted by Java or by Oracle in a future version or now with the 7u51 (or perhaps the certificate can be blacklisted). Is it ok to use asterisks here?

I know is not the safest measure because my applet can be placed in any domain and be used, but I have to deploy the applet to a very large set of different domains, so I just want to create a single applet for every domain I control (I did this and it works for Java 7u40 and earlier versions).

Thanks for the help.

=== UPDATE - Java 7u55 ===

With Java 7u55, if you include a stand-alone asterisk as value in the Caller-Allowable-Codebase variable, you will get a security prompt once the applet is loaded. More info: Java Blog 8u5/7u55

Answer 1

As you can read here: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#codebase The asteriks indeed is a valid (codebase-)property value. As far as I know, the codebase attributes are therefore also optional, and Java will not complain if these are not present. Only for the permissions and Application-name attributes in the main jar file. In Java 7u45 it would complain for all the library jar files aswell, but since 7u51 it only does it for the main jar.