Bob Relyea wrote:
Nelson B wrote:
They were part of the browser when the Java engine was part of
the browser, as in Netscape 4.x. They were used when a java
applet requested extra privilege. Netscape had defined some
certificate extensions that were used by one or more CAs to
facilitate the display of CA logos. NSS contained some code
to help the browser find the relevant logo URLs. That code
is now "dead code", meaning that it is there in NSS, but nothing
ever calls it (or indeed can call it, since it's not exposed
outside of the shared library).
Look at these URLs to see (some of) the dead code.
http://lxr.mozilla.org/security/ident?i=CERT_HTMLCertInfo
http://lxr.mozilla.org/security/ident?i=CERT_GetCertCommentString
Ian, if you look at those functions (even if you're not a programmer)
I think you'll find them revealing.
Actually Javascript can cause these dialogs. If you fetch Java script
from an SSL site, it is treated as 'signed'. If the java script then
requests some privellege, the user will get a Grant Dialog.
I'm sure there are still grant dialogs, but I'm pretty sure they are
not using the old branding logo work found in NSS (e.g. in
CERT_HTMLCertInfo and the functions that it calls) because that is
provably dead code.
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
