According to the "Client-side Javascript Guide" under SSL Servers and Unsigned Scripts
An alternative to using the Netscape Signing Tool to sign your scripts is to serve them from a secure server. Navigator treats all pages served from an SSL server as if they were signed with the public key of that server. You do not have to sign the individual scripts for this to happen. If you have an SSL server, this is a much simpler way to get your scripts to act as though they are signed. This is particularly helpful if you dynamically generate scripts on your server and want them to behave as if signed. For information on setting up a Netscape server as an SSL server, see Managing Netscape Servers.
This is obviously incorrect. As those reading this know, Mozilla's same-origin check overrides this behavior.
Netscape 4.x had significantly different script signing architecture. That description applies to Netscape 4.x clients.
"Same-origin" check is something completely different -- that's the protection of scripts in a window/frame from one origin (scheme+host+port) from interacting with the contents of a frame/window from another origin. All modern browsers hold this model in common (give or take edge cases due to implementation differences).
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
