Java applet manifest - Allow all Caller-Allowable-Codebase

Question

As of Java 7u45 an applet will display a warning message (even if signed with a trusted cert) if a webpage tries to interact with it via javascript and that page isn't listed in the manifest's Caller-Allowable-Codebase attribute.

Release notes about this change: http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html

Oracle blog post about this bug: https://blogs.oracle.com/java-platform-group/entry/7u45_caller_allowable_codebase_and

Attribute description: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#caller_allowable

I have tried just a wildcard (*), but I still get the warning.

Is there a way around this other than listing all codebases it may run at?

The reason this is a problem for me is that this applet runs on many different machines and networks, but always on intranets at various locations. This applet also needs to communicate with javascript because it talks to local USB scales and displays results and interacts with the page.

Applet in question: https://github.com/JaggedJax/CIO_Scale

Answer 1

Removing the Trusted-Library attribute seems to be mandatory to get Caller-Allowable-Codebase working, no more warnings. However, this breaks Java 7 Update 21 - 40 which treated JavaScript code that calls code within a signed applet running with all permissions as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library=true attribute.

Answer 2

My findings are the same:

This prevents warnings with Java 7u21 - 7u40:

Manifest-Version: 1.0 Trusted-Library: true 

This exclusivly prevents warnings with Java 7u45:

Manifest-Version: 1.0 Application-Library-Allowable-Codebase: * Caller-Allowable-Codebase: * 

Mixing both won't work in 7u45.

Now what? Did anyone find a way to allow SIGNED applets with "all-permissions" to run without warnings in both JRE-versions?

What the hell is wrong with oracle?