[rfc][icedtea-web] "Always trust content from this publisher" defaulting to checked

Tue May 20 18:12:07 UTC 2014

On 05/20/2014 07:31 PM, Andrew Azores wrote:
> On 05/20/2014 12:28 PM, Jiri Vanek wrote:
>> On 05/20/2014 06:04 PM, Andrew Azores wrote:
>>> Hi,
>>>
>>> I think the "Always Trust" checkbox that appears on the CertWarningPane for fully signed applets should not default to being checked anymore. I assume it is currently checked by default to encourage users to trust fully signed applets so that the dialogs do not continually appear - however, I don't think that's necessarily the right course of action now. Now that we have the ability to assign custom policies to different applets, persistently or per individual run of the applet I think more emphasis should be placed on this ability. Currently, the dialog also disables the Sandbox button (which then disables all ability to run the applet without granting it all permissions) when the checkbox is selected because
>>> it was decided at the time that it doesn't make sense to say "I always trust this publisher, but I want to run the applet as if I don't really trust the publisher." I think this behaviour should be kept. So the only change being made is to default the checkbox to unchecked, so that the Sandboxing options are presented as available to begin with, increasing their visibility.
>>>
>>> This comes down to simply changing one value for the checkbox. Also bundled with this patch are making a utility method static, and removing two unused fields.
>>>
>>> ChangeLog:
>>> * netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java (policyMenu, policyEditor): unused fields removed.
>>>    (getImageIcon): made static. (addButtons): default alwaysTrust checkbox to not selected.
>>>
>>> Thanks,
>>>
>>
>>
>> Hmm. The "always trust" is prechecked only when certificate is verified and trusted. Otherwise it is not selected by defaul.
>>
>> or am I missing something?
>>
>> J.
>
> Yes, that's what I'm talking about. I think it makes sense for it by default to never be selected.

I think that verified (ONLY verified)  certs should remain checked. But others my think differently (now we are 1:1 :) )

Sorry for blocking it. TBH i do not care :) And there are few applications  which I actually  really unselected although they are  verified. So I scrumbled to stay 0.8:1

As for the code,
-        alwaysTrust.setSelected(alwaysTrustSelected);

is alwaysTrustSelected now reused? I would suspect it to be abandoned...

J.