I'm developing a Firefox plugin using XPCOM, I've not yet read all the docs, but as far as I can see, A plugin is simply a DLL that provides services via a XPCOM interface and interacts with the browser via XPCOM interfaces. Since the plugin itself is a native DLL, how would the security model work? Would it rely on the fact that the user trusts the plugin not to do nasty stuff, like with OCX controls?
I can't see any other way it could be secured... Is there?
Just to clarify a few definitions, as far as I know, in Mozilla-land:
a plugin is something that is used to render content via the NSAPI (think Flash, PDF, ...) and is normally not using XPCOM
an extension is a package that extends Mozilla/Firefox via XUL and/or XPCOM, which can contain components and/or XUL GUI stuff.
a component is a provider of XPCOM services and can be written in Javascript or as a native shared library/DLL
So I guess, what you want to do is an extension consisting of a component.
As an answer to your question: You are right, as soon as the user installs an extension, he is agreeing to trust that one. Even if it consists of Javascript code, it has automatically more access than web site Javascript.
XPCOM does not seem to be intended for plugins, but rather applications, so security is not modelled.
Related
I'm developing an extension and I'm a bit stuck about the communication between the web-app, the content-script of the extension, and the communication between the content-script and the background-script. It seems to be that HTML5 Messaging API is to be used, but how to do that in a precise context is not only hard to understand and implement, but also confusing due to differences of approach in Browsers (which seemingly support the same API).
For example, Firefox doesn't recognise the externally_connectable in manifest.json, which is where one assigns permissions for the hosts where requests originate from. So how does Firefox expect you the developer to assign the permissions? I assume it expects you do that within the content-script?
Particularly, I'm confused about what is the best way to exchange data between the app and the content/background script. Is the best way postMessage / addListener methods and do they work in all contexts; or as someone mentioned: window.dispatchEvent should be preferred?
All guides relevant to the point above are appreciated.
Messages coming from outside the extension is not something I have experience with (and I'm not sure that's what you mean).
You should make sure you thoroughly understand the chrome extensions overview which is definitely required reading.
re Window.dispatch and using other APIs, my suggestion is stick to the chrome.xxx APIs unless there's something they can't do.
There are 3 scopes potentially in your extension that can only communicate by messaging but the messaging is simple to implement and actually can lead to good designs.
Content scripts are the key to interacting with the page itself but their scope isn't the same as the page, the js is isolated but they can access the DOM of course.
Content scripts can be loaded when every page loads or just some pages by including them in the manifest. Or powerfully, they can be injected by the background page or the popup - so if you're intention is to control from the popup, you can use programmatic injection - a useful pattern is that the popup (or background) can launch a url in a tab, inject jquery (any version because it's isolated), then inject the content script, the content script can then use $(document).ready() to wait for the page to be loaded (don't have to use jQuery but the fact that you can without caring whether the page has jQuery or not, or what version it might have) is useful.
If you already knew this much, you might not be as confused as you think :)
Accessing controls values, what is the recommended way to use ?
document.getElementById(...) or XSP.getElementById(...)
The XSP object acts a "wrapper" and would hide implementation details (browser incompatibilities, etc.) for you, therefore I would prefer the use of XSP.getElementById(...):
The XSPClientDojo library defines a global XSP object which exposes
some JavaScript functions to the XPages runtime. As its name suggests,
XSPClientDojo utilizes the Dojo JavaScript library, however other
implementations may be developed in the future (for example, when
supporting handheld devices).
document.getElementById(...) places the reliance on browser implementation. XSP.getElementById(...) places the reliance on the IBM Dojo extension and IBM support.
The same rules hold for any of the XSP.... methods. If browsers changes should ever affect it, IBM code will be updated and as long as your server is on the current release and fix packs you will not need to make changes to your application. So as with relying on any framework, it comes down to whether you are willing to keep the framework up to date to leverage the extra layer of abstraction.
I have used several solutions like Berkelium project, CEfSharp, awesomium.net, The Web application i built constitutes of Javascipts, xml, CSS. When I used these solutions for files published on server they properly work out but when i give path like (file:///path) it stops responding.
Depending on your needs as alternatives to file:// maybe look at either:
Implementing a SchemeHandler as showcased by both the CefSharp.WinForms.Example and WPF ditto.
Maybe even an OWIN married with CEF implementation, like Harley
or see this other answer: Ajax not working in CefSharp based WebView with local files
I've found this nice article about the "injected Way", but the author never finished it :
http://hightechstartups.blogspot.ch/2012/05/different-way-of-developing-browser.html
I would like a bare bone cross browser extension, without any 3rd party extensions or framework (to be as light as possible and not dependant on a 3rd party) that would load Jquery and a JS from a distant server and the ability to load it before or after the page is fully loaded.
I've read a lot of topics about the subject, but since IE10, Chrome 26 and FF20 are out with their new cross-link limitations, i was wondering if somebody had ressources, source code or tutorial about the following requirements :
I need :
Cross browser extension supporting (IE 8+ or 9+ worse case, Chrome
26+, FF20+, Safari)
Ability to inject a single JS hosted on another server. Inserts a script tag that references a javascript file in the head of the HTML
page and then be executed
Not be dependant on a third party extension (greasmonkey) or framework (Kango, Crossrider)
Ability to load before or after the page is fully loaded
This method allows me to customise the browser extension depending on the user's location and it also avoid having updates as the JS is updated on each page refresh.
I'm aware of the downsides, but i would like to achieve this.
I'm aware of cross browser framework like Kango or crossrider, but both don't fit me needs.
The closest example i could find is this How can I run a <script> tag that I just inserted dynamically from a BHO
but it only covers IE and as i got very little Csharp experience, i would like to see a full example to understand it properly and learn from example.
I would LOVE to have a few examples, even if it's not cross-browser (IE being the worst part for me).
Thanks a lot for your support !
Update1:
About Kango and Crossrider, Kango is 2000$ if you want to use IE and for Crossrider you're required to be distributed and monetized by them.
I've managed to code for IE and Chrome, but i was looking for an "elegant" way and figured it was the best place to ask given the level of knowledge of people on this site.
For the installer i currently use NSIS, but i'll test Wix too.
Finally i guess the only way for me would be to learn C++ and .net to get it to work with IE, but if anyone could provide more source code it would be great to test speed and compatibility and discuss here what's the best solution.
Why do Kango or Crossrider not fit your needs? Both frameworks allow you to manipulate the page's DOM (which is what you want):
Kango: Adding content script
Crossrider: documentation, example code
If you want to code your own solution, take a look at the relevant documentation:
Content scripts (Chrome)
The Page mod Jetpack API (Firefox)
Injected scrips (Safari)
Injected scripts (Opera)
Internet Explorer does not natively support extensions. It took me about 80 hours to create a stable and reliable IE extension which supports cross-site AJAX, a (preference) storage method and injection of scripts as early as possible in any frames based on its URL. I developed and tested the extension with Visual Express 2010 on Windows XP and Windows 7, for IE 8-10 (the extension might work on IE6/7, but I decided to not support these ancient and rarely used browsers).
First, I wrote an extension in C# based on LiveReloadIEExtension (a sample IE extension, which in turn is based on this Stack Overflow answer - see also this blog post). It was functional, but it required .NET 4, lacked support of frames, and it's relatively slow.
So, I decided to write an IE extension from scratch in C++. A good starting point is available at http://www.wischik.com/lu/programmer/bho.html: Sample code for C++ BHO, which changes the document's background based on key/mouse events. I've also learned a lot by looking at other code samples on CodeProject, topics on the MSDN forums, questions and answers on Stack Overflow, lots of other blogs, and the MSDN documentation:
DWebBrowserEvents2 interface lists several events which you use to find an appropriate injection point.
Scripting Object Interfaces (MSHTML) lists even more interfaces. You'll be mainly interested in the iHTMLDocument, iHTMLDocument2, ... interfaces.
After creating the IE extension, you want to deploy it of course. I used Wix toolset to create a MSI.
I have a small 2D game engine written in C#, using DirectX. Is it possible to somehow run it in a browser as a plugin? Like for example Flash and others, where you go to a site with a game and it will ask you to install a certain plugin and then you can play the game in the browser, with mouse and keyboard input.
I have searched around for hours and I still don't know what I'm looking for. I have so far primarily focused on Internet Explorer, but there are plugins, addons, extensions, etc I don't know what I need really.
Yes I think it is possible.
For example, I have an HTML page which includes an element like this:
<object id="simpleControl1"
classid="http:RenderTextProject5.dll#RenderTextProject.ScrollableControl"
height="300"
width="300">
</object>
The 'classid' attribute value has the following meaning/syntax:
RenderTextProject5.dll is the filename of a compiled .NET assembly
RenderTextProject.ScrollableControl is the qualified name (namespace plus classname) of a class which subclasses System.Windows.Forms.Control
I can then see the control being rendered in the browser.
I'm using IE (IE8, but it used to work with IE6 too), and I have the .NET framework installed on my machine (but I think I needn't have the RenderTextProject5 assembly installed on the client machine).
There may be some other caveats too (e.g. I needed to run in the Intranet security zone).
See Return of the Rich Client: Code Access Security and Distribution Features in .NET Enhance Client-Side Apps.
Look for Silverlight.. It is maybe not exactly what you need but it is a browser plugin capable of running C# code ;)
There is a relatively new plugin called Unity. It is a bit more complex, as it is a dev/3D authoring environment on its own, but uses C# as its language as far as I know. However I don't know if pure 2D programming is possible (well, may be worked around using ortho 3d?).
The basic version is free to download recently, maybe worth a check.
It is possible to run C# applications in a web browser without using plugins. For example, C# applications can be compiled into JavaScript applications using JSIL.