Gotcha. Yeah I can see how it can mimic OS windows while a browser couldn’t.
In that case, after thinking about it some more, I’d say go with Riven’s idea of a coffee cup, and the as short a text as possible in the tooltip. Maybe just “Untrusted window [more info]”.
I say use the coffee cup icon because JS alert dialogs show the browser’s icon instead of a warning icon.
I’d much rather it said what it is than what it isn’t.
Untrusted is computer speak… you haven’t taken the action of trusting this. To most people trust isn’t an action you take, and untrusted might just as well say distrusted, which might as well say panic, close now and run a virus scan.
If it could just make it clear that you are looking at an applet window from site , with a link to info about what an applet can do, that would seem to do the same job in a more positive way.
I hate the triangle but I see the need for it.
The best alternative I can suggest is a humourous duke animation on the title bar, (& no non-title bar dialogs - any good reasons why an unsigned applet would ever need one?) The animation should be enough to show the user that this is not a serious system dialog but is also not scary to users of safe apps.
I’m glad this problem is getting looked into.
I agree with the full screen behaving like Silverlight when in sandbox, which silverlight removes most key access and leave exc ,arrows,spacebar, alt, etc…
Any security messages that popup should explain what the program is asking for access.
I don’t know if this is possible atm in Java but can unsign apps access something outside the sandbox but ask for a security window? And the coder has a option to do next if the user clicks no?
I agree with Riven that the current situation is better than the proposed changes. The triangle with an exclamation mark and the ‘Java Applet Window’ tooltip is fine. Maybe the only change that is necessary is to turn the ‘Java Applet Window’ tooltip into a hyper-link that brings up a page telling you exactly what Java Applets can do.
I don’t think displaying ‘untrusted’ is a great idea. Having similar restrictions as flash and silverlight when the window is big is good since the exclamation mark is too small.
Thanks a lot for asking us about this Dmitri.
I think the current situation, for untrusted applets, is fine. That little yellow triangle shows the user there’s something up and that’s good. The real problem is what to do about trusted applets - or at the least, signed applets.
Cas 
There simply is no way to get this safe. I made this lame applet for you to enjoy:
??? i see the warning icon on XP.
But maybe we should think about an option to close a undecorated && untrusted applet by clicking on the warning sign 
(or something similar)
[edit] added screenshot
The point is, that yes, there is a warning sign, but… is it effective… like… at all?
Oh come on… I could have taken a screenshot at higher resolution, and that ‘alert dialog’ doesn’t have to be there anyway. Because most would have entered their password before.
Flash handles this with an overlay with a warning, which disappears after 2 seconds.
[forum created duplicate posting]
I think the yellow triangle seems to work fine, so long as it’s always visible. I’m not sure why applets should even be allowed to open windows though, to be honest. They’re suppoesd to be embedded in web pages. In fact I think they shouldn’t be allowed, unless they’re signed.
(What’s to stop me signing my fake login applet, and the user clicks yes to see what the content is they’re missing, which can then launch another process quietly in the background which at some random point makes the fake login screen when no-one thinks the applet is even running any more? In fact, given that I can do that… what security do we actually have? None at all really.)
Cas
A little off topic but would be nice if you make JavaFX videos not pop up a security window… would be nice :
We use unsigned applets for our game rooms that open up an applet window when people click on a table. We also have a solution that uses tabs to avoid this - but the windowed solution is better because it lets you chat both in the room and at the table at the same time.
The fact that you can open a window is not the problem. You could create the applet in an html popup and some people would still think it was a login screen. People ARE stupid and we can’t save all of them…
sure ti is, as long as no1 notices the “java applet” tag at the bottom lol
Why are applets able to pop up windows at all? Just browsing to a page should not pop up any non-browser windows.
(Hell, it shouldn’t pop up any BROWSER windows either…)
For webstart, the little triangle warning (with the border) is fine, imo.
Being worked on.
That’s poor excuse for not trying =) “hey, look at those people drowning… too bad we can’t save all of them, so let’s not even try”…
If you have convinced the user to accept your signed applet, game over, you own the machine. You can run native code, after all.
Which I think is a problem (mentioned several times) - we don’t have a granularity when it comes to security - either almost nothing, or everything.
