Semantic of NPN_GetURL. Local files. History

Benjamin Smedberg benjamin at smedbergs.us
Tue Mar 6 13:26:26 PST 2012


On 2/25/2012 6:43 AM, John Yani wrote:
>
> What's the problem? I'm generating that HTML file. And I already have 
> an access to anything in that directory (I create that).
>
It is still not considered same-domain with the original website, and 
may be given different permissions by the user.
>
> That's what I'm trying to prove. NPAPI plugins can do native 
> filesystem calls, so there's no reason to restrict loading local file 
> from the plugin's NPN_GetURL call.
>
And yet it is still defense in depth. This is not something that we are 
going to change in Firefox.

> Why do you think that removing an URL from history after NPN_GetURL 
> call is difficult to implement?
>
Because I know how our session history implementation works.

It seems to me that NPAPI plugins may not be the best solution for your 
use-case, or you need to change how your data is presented to the user 
so that you can generate it on command (possibly using a fullpage iframe 
or other techniques so that the plugin can remain present and keep 
generating data as needed.

--BDS



More information about the plugin-futures mailing list