Initialize NSS with no DB in the renderer process

base/nss_util.h

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef BASE_NSS_UTIL_H_
 #define BASE_NSS_UTIL_H_
 #pragma once
 
 #include "base/basictypes.h"
 
@@ skipping 19 matching lines @@
 // Initialize NRPR if it isn't already initialized.  This function is
 // thread-safe, and NSPR will only ever be initialized once.  NSPR will be
 // properly shut down on program exit.
 void EnsureNSPRInit();
 
 // Initialize NSS if it isn't already initialized.  This must be called before
 // any other NSS functions.  This function is thread-safe, and NSS will only
 // ever be initialized once.  NSS will be properly shut down on program exit.
 void EnsureNSSInit();
 
+// Initialize NSS without a persistent DB.  This is used the special case

[wtc, 2011/03/15 00:21:45]

Nit: add "in" or "for" before "the special case"

[Alpha Left Google, 2011/03/15 01:27:51]

Done.

+// where access of persistent DB is prohibited.  This method is only used in
+// the renderer process to enable use of the NSS crypto library.

[wtc, 2011/03/15 00:21:45]

Avoid mentioning "renderer process" in the 'base' and 'net'
modules, because these modules may potentially be used by
applications other than Chromium.

I'd delete this sentence, and make the previous sentence
more general, to say "access of persistent DB is unnecessary
or prohibited".

[Alpha Left Google, 2011/03/15 01:27:51]

Done.

+//
+// NSS will be initialized with an empty temporary DB with no root certs.
+// Access to user security modules is also not allowed.

[wtc, 2011/03/15 00:21:45]

This should say:
  NSS will be initialized without loading any user security
  modules, including the built-in root certificates module.
  User security modules need to be loaded manually after NSS
  initialization.

+//
+// This function is thread-safe, and NSS will only ever be initialized once.
+// NSS will be properly shut down on program exit.
+//
+// After calling this function, calling EnsureNSSInit() will have no effect.
+//
+// *ONLY USE THIS IN THE RENDERER PROCESS*

[wtc, 2011/03/15 00:21:45]

This warning should be removed, or made more generic, without
reference to the renderer process.

[Alpha Left Google, 2011/03/15 01:27:51]

Done.

+void EnsureNSSNoDBInit();
+
+// This methos is used to disable checks in NSS when used in a forked process.

[wtc, 2011/03/15 00:21:45]

Typo: methos => method

Please document that DisableNSSForkCheck must be called
before NSS is initialized.

I suggest writing the warning like this:

WARNING: use this with caution.

[Alpha Left Google, 2011/03/15 01:27:51]

Done.

+// NSS is fork-sensitive to avoid problems when using user security modules in
+// a forked process.  However if we are sure there are no modules loaded before
+// the process is forked then there is no harm disabling the check.
+//
+// *USE THIS WITH CAUTION*
+void DisableNSSForkCheck();
+
 // Check if the current NSS version is greater than or equals to |version|.
 // A sample version string is "3.12.3".
 bool CheckNSSVersion(const char* version);
 
 #if defined(OS_CHROMEOS)
 // Open the r/w nssdb that's stored inside the user's encrypted home directory.
 void OpenPersistentNSSDB();
 #endif
 
 // Convert a NSS PRTime value into a base::Time object.
@@ skipping 26 matching lines @@
  private:
   Lock *lock_;
   DISALLOW_COPY_AND_ASSIGN(AutoNSSWriteLock);
 };
 
 #endif  // defined(USE_NSS)
 
 }  // namespace base
 
 #endif  // BASE_NSS_UTIL_H_