-
Notifications
You must be signed in to change notification settings - Fork 8
/
tut_npapi.html
98 lines (82 loc) · 3.54 KB
/
tut_npapi.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
---
layout: default-withsidebar
title: NPAPI Plugins
support: 16
copyright: opera-google-ccby
originalsource: http://developer.chrome.com/extensions/npapi.html
---
<p class="alert"><strong>Warning:</strong> NPAPI support will be deprecated from Opera 20 onward. We recommend converting your extension to use other extension APIs or <a href="tut_message_passing.html#native_messaging">native messaging</a> instead.</p>
<h2 id="introduction">Introduction</h2>
<p>
Leveraging HTML and JavaScript makes developing new extensions really easy,
but what if you have existing legacy or proprietary code that you want to reuse in your extension? In that case, you can bundle an NPAPI plugin with your extension, allowing you to call into native binary code from JavaScript.
</p>
<p>Code running in an NPAPI plugin has the full permissions of the current user and is not sandboxed or shielded from malicious input by Opera in any way. You should be especially cautious when processing input from untrusted sources, such as when working with content scripts or XMLHttpRequest.</p>
<h2 id="details">Details</h2>
<p>
How to develop an NPAPI plugin is outside the scope of this document.
See <a href="https://developer.mozilla.org/en/Plugins">Mozilla's
NPAPI plugin reference</a> for information on how to do that.
</p>
<p>
Once you have an NPAPI plugin, follow these steps to get your extension using it.
</p>
<ol>
<li>
Add a section to your extension's <code>manifest.json</code>
that describes where to find the plugin,
along with other properties about it:
<pre class="prettyprint">{
"name": "My extension",
...
<b>"plugins": [
{ "path": "extension_plugin.dll" }
]</b>,
...
}</pre>
<p>
The "path" property specifies the path to your plugin,
relative to the manifest file.
The "public" property specifies whether
your plugin can be accessed by regular web pages;
the default is false,
meaning only your extension can load the plugin. Add
<code>"public": true</code> to make your plugin accessible on
regular web pages and content scripts. But
<a href="#security-considerations">be careful</a> — any
web page will then be able to call into your plugin.
</p>
</li>
<li>
Create an HTML file that loads your plugin by mime-type.
Assuming your mime-type is "application/x-my-extension":
<pre class="prettyprint">
<embed type="application/x-my-extension" id="pluginId"></embed>
<script>
var plugin = document.getElementById("pluginId");
var result = plugin.myPluginMethod(); // call a method in your plugin
console.log("my plugin returned: " + result);
</script></pre>
<p>
This can be inside a background page
or any other HTML page used by your extension.
If your plugin is "public",
you can even use a content script to programmatically
insert your plugin into a web page.
</p>
</li>
</ol>
<h2 id="security-considerations">Security considerations</h2>
<p>
Including an NPAPI plugin in your extension is dangerous because plugins
have unrestricted access to the local machine. If your plugin contains
a vulnerability, an attacker might be able to exploit that vulnerability
to install malicious software on the user's machine. Hence, avoid
including an NPAPI plugin whenever possible.
</p>
<p>
Furthermore, marking your NPAPI plugin "public" increases the attack surface of your
extension because the plugin is exposed directly to web content, making
it easier for a malicious web site to manipulate your plugin. Hence,
avoid making your NPAPI plugin public whenever possible.
</p>