I admit that Oracle finally did something right by requiring a white-list of all java websites you want to use, but it's taken me all morning to understand how to do it.
AFAICT, the only way to white-list a website is to use the Java Control Panel (jcontrol) and type the full URL including the http:// or preferably the https:// if you don't want a nag screen. For example, here's a site I visit every morning: http://www.goes.noaa.gov/goes-w.html which lets me watch a java-powered image loop of the weather over the Pacific Ocean. Now I click on the button to animate the image, and I get a pop-up saying that this untrusted website wants to do something awful and refuses to let it run java, period. No explanation of how I can 'trust' the website. How many people are going to figure out they need to run the Java Control Panel and manually add this site to the list of trusted sites? And, now that I've added "http://www.goes.noaa.gov"; manually, I try the site again. Nope. The jar file I need is on a "different domain" (www.sdd.noaa.gov) so now I need to add that URL to the white list <sigh> including http:// Now, I agree that they did it right from a security point of view, but jeez, they could have done the user interface a bit better. Or maybe they did it better and I haven't found it yet?
