With the fix for 6670470 to allow JNLP-launched applets to refer to extensions on other hosts (among other things), it is absolutely essential that the same functionality be supported for Java Web Start applications. Otherwise we will have a major discrepancy in functionality between these two deployment technologies, which are supposed to be essentially identical from the user's point of view.
Note that 6518285 was filed on this very similar issue over a year ago. Since that bug specifically targets spec changes, this bug will focus on changing the implementation without changing the specification to allow fallback behavior to a more relaxed security model.
If LaunchDownload.checkJNLPSecurity() throws an exception, then we will degrade to the same behavior as is currently used for JNLP-launched applets: in particular, do not add permissions for the class being loaded based on the contents of the JNLP file. Instead, consider only the origin of the code and its trust status. This will involve adding code to the JNLPClassLoader which is similar to that currently in the Plugin2ClassLoader.