canmove, Confirmed users
4,854
edits
Security/Reviews/PluginOverlayAPI: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 13: | Line 13: | ||
{{SecReview | {{SecReview | ||
|SecReview feature goal=To provide the API for the JavaScript extension to create the preview of a plug-in for specific mime type. Typical use case is to allow creation of the firefox extensions to provide the secure and interactive preview for or fully replace the native plugins. | |SecReview feature goal=To provide the API for the JavaScript extension to create the preview of a plug-in for specific mime type. Typical use case is to allow creation of the firefox extensions to provide the secure and interactive preview for or fully replace the native plugins. | ||
This is a key component of the Shumway implementation of a web-native SWF runtime, specifically the browser integration with Firefox | This is a key component of the Shumway implementation of a web-native SWF runtime, specifically the browser integration with Firefox | ||
=== Notes === | === Notes === | ||
Shumway will call registerPlayPreviewMimeType | Shumway will call registerPlayPreviewMimeType | ||
When there's an embed, a check for whether there's a preview for the type (if not, it calls up plugin) if there is, it loads shumway (other preview) instead. | When there's an embed, a check for whether there's a preview for the type (if not, it calls up plugin) if there is, it loads shumway (other preview) instead. | ||
How does the extension distinguish between multiple frames with the same source? - shumway has access the DOM tree and can extract the information from the original element. | How does the extension distinguish between multiple frames with the same source? - shumway has access the DOM tree and can extract the information from the original element. | ||
What is the origin of the document in the iframe - originally the data: uri, then changed by the streamconverter - (for shumway, looks like resource:) | What is the origin of the document in the iframe - originally the data: uri, then changed by the streamconverter - (for shumway, looks like resource:) | ||
use of a resource URL is likely to cause problems - either use a null principal or use the origin of the original resource. | use of a resource URL is likely to cause problems - either use a null principal or use the origin of the original resource. | ||
This isn't enabling anything addons can't already do; rather, exposing a cleaner way for them to do something. | This isn't enabling anything addons can't already do; rather, exposing a cleaner way for them to do something. | ||
[https://github.com/mozilla/shumway/tree/master/extension/firefox pilot shumway extension] | |||
[http://pastebin.mozilla.org/1735309 iframe box testing] | |||
|SecReview alt solutions=Alternative solution: to provide an API to the extension that will fully intercept a flash object instantiation we need: | |SecReview alt solutions=Alternative solution: to provide an API to the extension that will fully intercept a flash object instantiation we need: | ||
# add entries to the window.navigator.plugins (with the same name, descript, version and mime type as flash); | # add entries to the window.navigator.plugins (with the same name, descript, version and mime type as flash); | ||
# intercept/forward all <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"> instantiations; | # intercept/forward all <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"> instantiations; | ||