Initialize NSS with no DB in the renderer process

base/nss_util.h

Index: base/nss_util.h
diff --git a/base/nss_util.h b/base/nss_util.h
index 10bbdfb41eb734f6f80ab104cf45cb87cb5fcd53..dc368a52ddeec6f0d74a5641d9ca8922fe5645d9 100644
--- a/base/nss_util.h
+++ b/base/nss_util.h
@@ -37,6 +37,29 @@ void EnsureNSPRInit();
 // ever be initialized once.  NSS will be properly shut down on program exit.
 void EnsureNSSInit();
 
+// Initialize NSS without a persistent DB.  This is used the special case

[wtc, 2011/03/15 00:21:45]

Nit: add "in" or "for" before "the special case"

[Alpha Left Google, 2011/03/15 01:27:51]

Done.

+// where access of persistent DB is prohibited.  This method is only used in
+// the renderer process to enable use of the NSS crypto library.

[wtc, 2011/03/15 00:21:45]

Avoid mentioning "renderer process" in the 'base' and 'net'
modules, because these modules may potentially be used by
applications other than Chromium.

I'd delete this sentence, and make the previous sentence
more general, to say "access of persistent DB is unnecessary
or prohibited".

[Alpha Left Google, 2011/03/15 01:27:51]

Done.

+//
+// NSS will be initialized with an empty temporary DB with no root certs.
+// Access to user security modules is also not allowed.

[wtc, 2011/03/15 00:21:45]

This should say:
  NSS will be initialized without loading any user security
  modules, including the built-in root certificates module.
  User security modules need to be loaded manually after NSS
  initialization.

+//
+// This function is thread-safe, and NSS will only ever be initialized once.
+// NSS will be properly shut down on program exit.
+//
+// After calling this function, calling EnsureNSSInit() will have no effect.
+//
+// *ONLY USE THIS IN THE RENDERER PROCESS*

[wtc, 2011/03/15 00:21:45]

This warning should be removed, or made more generic, without
reference to the renderer process.

[Alpha Left Google, 2011/03/15 01:27:51]

Done.

+void EnsureNSSNoDBInit();
+
+// This methos is used to disable checks in NSS when used in a forked process.

[wtc, 2011/03/15 00:21:45]

Typo: methos => method

Please document that DisableNSSForkCheck must be called
before NSS is initialized.

I suggest writing the warning like this:

WARNING: use this with caution.

[Alpha Left Google, 2011/03/15 01:27:51]

Done.

+// NSS is fork-sensitive to avoid problems when using user security modules in
+// a forked process.  However if we are sure there are no modules loaded before
+// the process is forked then there is no harm disabling the check.
+//
+// *USE THIS WITH CAUTION*
+void DisableNSSForkCheck();
+
 // Check if the current NSS version is greater than or equals to |version|.
 // A sample version string is "3.12.3".
 bool CheckNSSVersion(const char* version);