Closed Bug 989139 Opened 10 years ago Closed 10 years ago

[e10s] Unable to use NSS in content processes

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(e10s+)

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
e10s + ---

People

(Reporter: billm, Unassigned)

References

Details

We have a lot of tests that assert when run in content processes:

###!!! ASSERTION: Trying to initialize PSM/NSS in a non-chrome process!: 'Error', file /builds/slave/h-lx-d-00000000000000000000000/build/security/manager/ssl/src/nsNSSComponent.cpp, line 148

The most common place where this seems to happen is when a tests uses a <keygen> tag. What can we do about this? It happens in a bunch of reftests.
Flags: needinfo?(cviecco)
(In reply to Bill McCloskey (:billm) from comment #0)
> We have a lot of tests that assert when run in content processes:
> 
> ###!!! ASSERTION: Trying to initialize PSM/NSS in a non-chrome process!:
> 'Error', file
> /builds/slave/h-lx-d-00000000000000000000000/build/security/manager/ssl/src/
> nsNSSComponent.cpp, line 148
> 
> The most common place where this seems to happen is when a tests uses a
> <keygen> tag. What can we do about this? It happens in a bunch of reftests.

We actually do allow use of NSS in the content process in limited circumstances, e.g. for WebRTC.

<keygen> and the existing window.crypto.* should be re-implemented for e10s so that they remote the crypto work to the parent process.

The other major cause of this assertion is the site identity block implementation. The site identity block tries to calculate the security state of the connection used to load the page inside the child process, with the intent to serialize it and send it to the parent process. Obviously, it would be much better for the parent process to calculate the security state of the connection used to load the page itself, since it shouldn't be trusting security-critical information from the child process.

Cert error overrides (about:certerror) are the other major thing that need to be changed, that I remember. Probably we just need to load about:certerror in a parent-process tab instead of an e10s tab.
Pretty much what bsmith said. There was some work in Bug 101019 that could be the start for keygen.
Flags: needinfo?(cviecco)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
This is what we want. Functionality to be remoted in bug 582297
Resolution: DUPLICATE → WONTFIX
You need to log in before you can comment on or make changes to this bug.