Trust Methods; Privileged Locations; Changes Across Releases - Adobe 12001196 - Acrobat - Mac Manual

Application Security Guide

9 Trust Methods

Ideally, you've enabled and configured all of the product's security mechanisms and are now ready to
assign trust to elements in your workflows. Available trust mechanisms include:

9.1 Privileged locations

Privileged locations (PLs) are synonumous with "trusted locations." PLs are the primary way that users
and administrators can specify trusted content that should be exempt from security retrictions. The feature
behaves as follows:
• A privileged location may be a file, folder, or host.
• There may be an HKCU list and an HKLM list: administrator's can lock down the feature in HKLM so
that users cannot change the setting.
• Privileged locations can be permanently disabled or enabled by the administrator.
• The Trust Manager hive does not appear in the registry until the user interface is exercised.
However, you can create it manually.
• Configuration may occur via the user interface or directly in the registry.
• If configured through the user interface, the privileged location ID only may or may not appear under
under all the possible cabs. Functionality changes across releases, so test the UI and see what trust
is assigned.
• Permissions granted by other features often overlap. For example, cross domain policies, internet
access settings in Trust Manager, and certificate trust settings for certified documents sometimes
interact so that the most permissive setting takes precedence. Users should TEST THEIR
CONFIGURATION prior to deployment.
• All key (tID) names under a particular cab must be unique.
• You can also elevate Trusted Win OS zones to privileged locations.

9.1.1 Changes across releases

Evolution of the privileged location feature
Version
9.0 Privileged locations introduced as a way to assign trust to content blocked when enhanced security is enabled.
8.1.7 Enhanced security added for 8.1.7.
8.2 & 9.3
• Enhanced security turned on by default, so the use of privileged locations
becomes critical.
9.3.4
• cJavaScriptURL was introduced thereby adding a way to restrict JavaScript
invoked URLs via enhanced security. Trust can be assigned through privileged
locations.
• Trusting a location as a privileged location also trusts that location for high
privileged JavaScript. cJavaScript is populated.
• Trusting a location as a privileged location also trusts that location for blacklisted
JavaScript APIs. cUnsafeJavaScript is populated.
Section 9 Trust Methods
Change
Section 9 Trust Methods
Page 85