Christian Heilmann

Don’t use window.sun or function sun() in Firefox – lest you want to start Java!

Friday, February 27th, 2009 at 8:10 am

I just came across a mind-boggling “ghost in the machine” style problem in Firefox: if you use window.sun or function sun() in JavaScript you effectively start the Java VM. As explained in this article on doctype

There are a few “magic” properties on Mozilla’s DOMWindow interface for supporting LiveConnect that will initialize the Java plugin and all the baggage that comes with it (which, with modern Java plugins, means launching java.exe as a subprocess). Looking up these properties on the window object is all it takes.

Other properties to avoid are:

  • java
  • Packages
  • netscape
  • sun
  • JavaClass
  • JavaArray
  • JavaMember

So if you want to make sure that the performance of your webapp doesn’t go down the tubes makes sure you avoid any of these.

Tags: , , , ,

Share on Mastodon (needs instance)

Share on BlueSky

Newsletter

Check out the Dev Digest Newsletter I write every week for WeAreDevelopers. Latest issues:

Don't stop thinking, AI Slop vs. OSS Security, rolling your own S3 Despite AI you still need to think, Bitter lessons from building AI products,  AI Slop vs. OSS security and pointer pointer…
200: Building for the web, what's left after rm -rf & 🌊🐴 vs AI What remains after you do a rm -rf? Why do LLMs know about a seahorse emoji? What image formats should you use? How private is your car?
Word is Doomed, Flawed LLM benchmarks, hard sorting and CSS mistakes Spot LLM benchmark flaws, learn why sorting is hard, how to run Doom in Word and how to say "no" like a manager.
30 years of JS, Browser AI, how attackers use GenAI, whistling code Learn how to use AI in your browser and not on the cloud, why AI makes different mistakes than humans and go and whistle up some code!
197: Dunning-Kruger steroids, state of cloud security, puppies>beer

My other work: