I am working on a webpage that depends on browser extensions to perform certain tasks.
From the webpage I can communicate with the chrome browser using 'externally_connectable' and:
chrome.runtime.sendMessage(string extensionId, any message, object options, function responseCallback)
The good thing here is that from the point of view of my website I am sure I am communicating with my extension and not with a 'reverse engineered' version of my extension.
In firefox extensions however there is no support for externally_connectable and I have to use events or window.postmessage:
const event = new CustomEvent('msg-for-content-script');
document.querySelector('body').dispatchEvent(event);
This works ok, but the problem is that when somebody manages to reverse engineer my extension I am not able to check whether the extension I am communicating with is really my extension.
Is there anybody who can give advice on how to make sure that I am communicating with the right extension?
Related
Are the Chrome DevTools Protocol APIs open source? I'm trying to find out the source code to understand the working of some APIs in depth.
What exactly happens behind the scenes when we try to call those API using Puppeteer?
This is how we use them -
const tree = await page._client.send('Page.getResourceTree');
I want to understand the how does this interface (page._client.send) work. Does it also make a request using the internet bandwidth or it works completely offline?
I want to register a custom file protocol in Chrome or Firefox, much like the way Electron does (please see their API for doing this: https://www.electronjs.org/docs/api/protocol). I am wondering if there is a way to implement this as a browser extension, or I have to modify the source code of the browsers.
I expect that the API would look like this (just a pseudocode to help explain what I mean):
registerHandler('myprotocol://', req => {
response('<body>You requested: ' + req.url);
});
Clarification: navigator.registerProtocolHandler is NOT what I need. What it does is to register a protocol that, when clicked, opens an external application to deal with that. But what I want is a protocol handler scheme that works in a request--response way, e.g. can be used in JS/CSS/HTML queries and responds with a content that can be rendered within the browser.
I would answer my own question because I found exactly what I need here: https://github.com/mozilla/libdweb
This is an experimental feature of Firefox Nightly that allows one to register a custom protocol and serve all requests to that protocol using firefox addon. This is not a WebExtension standard nor does it work on browser other than Nightly, but I'm glad to hear that someone is doing this.
I am developping web applications using the Xpages framework from the IBM Lotus Notes technology.
My users don't use the embedded Notes Client browser, but use a regular modern browser (Firefox, Chrome) to browse Notes applications.
Everything is ok when the user has an internet connexion, he can access the application on the online server through his favorite browser.
However some of my applications need to be used Offline, in local. When a user works in local, he opens the IBM Notes Client, go to his workspace and click to open an application locally. Then, the Notes Client runs a http server on a random port and open the application with the embedded Notes Client browser.
What I want to achieve is to be able to open the application on a regular browser (Firefox, Chrome), by just using the default system browser and not the embedded Notes Client browser.
Here is what I tried without success :
With window.location.href I get the port where the local http server runs and the path to the page that is opened in the embedded Notes Client browser. I get this kind of result :
127.0.0.1:54428/xsp/Gfn/CoffeShop.nsf/xp_home.xsp?OpenXPage&&xspRunningContext=Notes
So I just keep the interesting part :
127.0.0.1:54428/xsp/Gfn/CoffeShop.nsf/xp_home.xsp
Now I need to pass the session id has a parameter of this http request so the browser will have the right to access the application. I get the session ID with the following :
facesContext.getExternalContext().getRequest().getSession().getId()
From this I get an ID and I build my complete http request :
127.0.0.1:54428/xsp/Gfn/CoffeShop.nsf/xp_home.xsp?SessionID=ID-fae7aca8f062023972fe35e5909b0106f44ba2ae
But when I try this into a regular browser, instead of getting the page I get an error 500. If I look at the log of the server, I see the following error message :
Exception Thrown
javax.servlet.ServletException: The request is not coming from a trusted Rich Client part
But I am sure my ID is correct. I tried to investigate this on the internet but no success for now, I would be happy if someone has an idea about what do I miss? Or maybe another way to open a local application in the default system browser?
Thank you!
In short, you can't. This is disabled by security restrictions.
But maybe you should think again about a XPiNC application: With 9.0.1, the underlying XULRunner component was upgraded and supports now HTML5 and a lot of the "newer" features.
It matches Firefox 10.0.6, here are the HTML5 test results:
https://html5test.com/s/555ae51ca555ac7b.html
The only reasonable action you have at you disposal is to install Domino designer on the clients. Then you get the nhttp task that serves to a standard browser (you might get away analysing what nhttp needs and only install that part).
The caveat there: the local nhttp does not support authentication. So you need to hack around it (e.g. copy data back and forth between the local NSF and the properly secured one).
Alternative you could try the approach I took with vert.x (should work with any Java container, but then you won't have any XPages, just raw Domino data.
Danielle pushed that forward with the Crossworlds Project - which might be what you need.
Stephan says it as it is: the way you are considering is just going to cause you huge headaches.
If offline capacity is a must, have you thought about creating a pure Notes-Client application? That would certainly be far easier.
My question has similar point like this one.
I’m wondering how I can catch a media URL which SWF loads from browser add-on. Let’s say YouTube flash player starts playing or loading some video (let it be via http) and I want to know that url. Just like browser plugins from “RealDownloader” and “Moyea YouTube FLV Downloader” does. I’m newbie with plugin development and flash and I want to know what technologies it may be. XPCOM, NPAPI, ActiveX, or simple API hooking. Any ideas how this may be accomplished?
NPAPI plugins typically ask the browser to load data for them, they don't do it themselves. This means that a browser extension can intercept these requests. This can be done for example by implementing a content policy. Requests initiated by a plugin will cause a shouldLoad call with type OBJECT_SUBREQUEST.
The simpler option is using HTTP observers - but this way you won't recognize requests initiated by Flash, they will look just like any other request processed by the browser.
Firebug does that, and it's open source. Why not study it a little?
https://github.com/firebug/
It's easy if you only want to get the url from a single swf in a single website. for example if all you need are urls from that swf,you can keep only one instance of your browser open and use a tool to intercept its http requests.
I'm wondering, is it even possible to treat the request for the Xul Browser component to open a new window? I tried changing the window.open function, but looks like it's never called.
All links that open in a new window are not opening in my application.
I found this page on the subject, but the provided solution is showing no different behavior.
Any hint on this?
(by the way, I'm developing a stand alone application, not a Firefox's extension)
I'm assuming you are in a XULRunner application, and that you are trying to load a chrome URL from a non-chrome source in a browser (e.g. HTTP or local file). While enabling UniversalXPConnect and UniversalBrowserWrite can be helpful, they are also a security risk (since any arbitrary script on the web could use them), so they tend to be disabled in browsers (for example, running that line in Firebug will give you an exception):
>>> netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect UniversalBrowserWrite");
Error: A script from "http://stackoverflow.com" was denied UniversalXPConnect UniversalBrowserWrite privileges.
How about you try using codebase security principals and see if that makes a difference? (http://www.mozilla.org/projects/security/components/signed-scripts.html#codebase). For me in Firebug it does allow me to get the additional permissions after I OK it with a big, nasty looking dialog), but still doesn't allow me to open a Chrome URL with window.open. The next step is probably to try changing your conf file to use contentaccessible so that the relevant parts of your content are accessible (see https://developer.mozilla.org/en/Chrome_Registration#contentaccessible).
To avoid the nasty message when elevating permissions, you could try setting permissions for the right files automatically as described at http://forums.mozillazine.org/viewtopic.php?f=38&t=1769555.
Also, make sure you check the browser type (https://developer.mozilla.org/en/XUL/Attribute/browser.type). If the browser type is not chrome, then it might be worth trying making it chrome and seeing if that makes a difference.
If any of my assumptions are wrong get back to me and I will try something else.
does normal js not work?
window.open(url,windowname,flags);
There are two ways that I know of.
The first is to set the browser.chromeURL preference to a chrome URL that contains a <browser type="content-primary">. The page that the content window tried to open will load into the given browser.
The second is to set the property window.browserDOMWindow with an object that you define to implement the nsIBrowserDOMWindow interface. This allows you to divert the open call into a tab, if you are using a tabbed interface. Note: the tabbed browsing preferences must be set to allow windows to be diverted into tabs, otherwise XULrunner will fall back on browser.chromeURL.