Warning relied on Caller-Allowable-Codebase attribute not shown always

Question

I have the following manifest information in the signed Java applet. My build environment is old and is currently restricted to JDK 1.6.

Manifest-Version: 1.0
Implementation-Vendor: Foo, Inc.
Application-Library-Allowable-Codebase: * 
Application-Name: FooBar
Permissions: all-permissions 
Sealed: true 
Created-By: 1.6.0_20 (Sun Microsystems Inc.)
Caller-Allowable-Codebase: *
Codebase: https://*

According to Java documentation -

If a stand-alone asterisk (*) or an asterisk used with a top-level domain such as *.org is specified as the value for the Caller-Allowable-Codebase attribute, then calls from JavaScript code to your RIA show a security warning. Users have the choice to allow the call or block the call. An option to remember the choice is also provided. If the user chooses to remember the choice, no further warning messages are shown for the same RIA when it receives calls from JavaScript code from the same source.

Java script code in my web application relies on the return code from the Applet to show appropriate status on the portal. The messages shown vary depending on the status code returned. But for this to happen, Java warning window should appear. In Firefox v51 & JRE 1.8.121, this warning window shows up sometimes. When it doesn't, communication between JavaScript and Applet is absent. What could be issue that warning window doesn't appear all the time ?

Answer 1

I am using the same live connect method to communicate between the applet and Javascript. I came across many different warning screens throughout the past few years from JRE6u45 until the current JRE8u131. It depends on which warning screen you are now facing.

Did you use Firefox every time? Firefox does not support the Java plugin since a certain version see here. FYI, Chrome and MS Edge do not support Java Applet. Please check if you are not using them.

The Caller-Allowable-Codebase attribute should not trigger any warning. It should block the applet from running if it does not include the domain correctly. There should be no warning message that allow you to run.

Generally most warning screens come from the JRE instead of the browser. So you may also check the following items:

• the code signing cert is valid and not expired.
• Go to Java Control Panel, clear the applet cache (In General Tab)
• Enable Java content is checked (Security Tab)
• Restore Security Prompts (Security Tab)
• Enabled mixed code to show warning if needed (Advanced Tab)
• Enable the logging and tracing, show Java console (Java Control Panel -> Security Tab)

Please provide more details screen or warning messages you have.