mozilla
Your Search Results

    Security and the jar protocol

    Java Archive (JAR) files are simply Zip compressed bundles of files. Firefox 2.0.0.10 (and Firefox 1.5.0.15) fixed a potential security issue in the same origin policy when the jar: protocol was used to load data.

    Prior to this change, specifying the jar: protocol caused Firefox to assume that the file being retrieved is a JAR file, regardless of its MIME type (in other words, its MIME type was assumed to be application/zip, regardless of what it actually was). This means that no matter what the file's real contents are, as far as Firefox is concerned, it was a Zip archive.

    This ordinarily isn't a big deal, since site developers wouldn't put up dangerous files and set them up to download like Zip archives. However, if a site allows file uploads, Zip files are typically treated as relatively innocuous by web sites in that situation, since they're not executable.

    Unless, of course, the browser thinks it's a JAR file.

    So starting with Gecko 1.8.0.15 and 1.8.1.10, the jar: protocol is only allowed if the MIME type of the file is application/java-archive. A site that serves a file with that type is essentially promising that it has vetted the content and that it is in fact safe to download and execute. Any other file type results in an "Unsafe file type" error.

    Document Tags and Contributors

    Tags: 
    Contributors to this page: Sheppy
    Last updated by: Sheppy,