Eddy Nigg (StartCom Ltd.) wrote: > Jose Luis: >> As mentioned in >> http://www.mozilla.org/projects/security/components/signed-scripts.html >> Javascript must be signed with certificates when trying to enable >> priviledges. >> >> How do I get a free certificate for this. >> >> > Hi Jose, > > As far as I know there are none. It might be that GoDaddy still gives > out code signing certs for open source projects for free (so I haven't > seen for along time about it, they might have discontinued it). > > Besides that, it's highly unpractical to sign javascripts and html pages > (as all of them must be signed and placed into the jar) for most sites, > since todays requirements and sites are mostly not static, but > dynamically assembled on the server side. In my opinion, the security > concept of the Mozilla browser(s) is not really usable... :-(
Yes, script signing is not a very practical solution and has a lot of bad issues. Ranging from the certificate issue you bring up, to a bad UI on the users end when you request privilege. It's basically only there as a hold-over from the netscape days which inherited its design from java. Many many moons ago. It's entirely possible that we will completely remove the code-signing feature from firefox 4 or so. If you need to run code with extended privileges I would suggest you create an extension that is specifically designed to work together with your site. Hope that helps. Best Regards, Jonas Sicking _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
