Oracle is (rightfully!) tightening the security requirements around the .jnlp web starter more and more. Formerly, they were just started; later, you got warning messages if they weren’t signed with a proper certificate, and in the newest versions, you need to explicitly manage a list of servers you permit execution from.
So, even if you’re a developer of open source, or freeware, you need to sign your code, which requires a certificate, which normally costs money. Unless you use the services of the nice company Unizeto, who, with their Certum certificates, give code signing certificates to open source developers for free.