So that's my question: is requesting a
.java.policy
file from a URL even possible?
Yes it is, but not in any way that is practical. The thing is:
- The policy file needs to be in a certain location on the local file system, in order to work.
- Any Java app. or applet would need trust to place it there, or even find out where the right location is.
- A Java app. needs extended permissions to be able to import the policy file to where it will have an affect.
- If a Java app. has the permissions to insert the policy file, it is already trusted.
If so, isn't that a terrible security risk?
Yes, it would be.
If this applet needs trust, digitally sign it.
Addendum
See Java 7 Update 21 Security Improvements in Detail for more info. on the ever tightening Java security environment.
It is apparently planned to have a future JRE default to maximum security. That would mean that by default, only classes in a Jar, digitally signed by a certificate issued by a Certification Authority (e.g. Comodo $180/year, Thawte $300/year) would ever run. Everything else would be rejected.