Hello,
There is a new feature that is disabled by default in JRE 8u51. It appears this feature has very limited explaination for the enterprise audience, typically Oracle enables all features that can give better security posture. Does this feature enable a better sandbox security posture or not? If so why is it disabled by default and what does it mean if it is not enabled? Here are the notes below from the release notes. Please someone explain if the enterprise should or shouldn't enable this setting below?
New Features and Changes
Operating system's restricted environment (Native Sandbox)
JDK 8u51 introduced the following changes to Native Sandbox:
- Native sandbox is available on Windows platform only.
- Native sandbox can be enabled or disabled through Java Control Panel->Advanced settings->Enable the operating system's restricted environment (native sandbox) or by setting
deployment.security.use.native.sandbox property to true indeployment.properties file.Native sandbox is disabled by default. - When native sandbox is enabled, the sandbox applets or web-start applications will run in a restricted environment, that is provided by the operating system. This will not affect the all-permission applications and they will continue to run as before.
- Native sandbox will be disabled for applications included the in Exception Site List (ESL) or when Deployment Rule Set (DRS) is used.
- Sandbox applets deployed with HTML applet tag which includes all-permissions JAR files from the
Class-Path manifest attribute, will run in native sandbox.In such cases, a special warning dialog will display, informing the user that the applet may not work properly, when such an applet tries to access the all-permission JAR files. - Custom preloader will be disabled in certain cases when native sandbox is enabled:
- Custom preloader will be disabled when sandbox applets or web-start applications are initializing and the default preloader will be used instead. After application is initialized, Java VM restarts with native sandbox enabled and the custom preloader will be used.
- For all-permission applications, custom preloader will be disabled if it is located in the JNLP file with sandbox permission, until user agrees to run application from the Security Dialog, which grants unrestricted access (privileged) to application.