Our plugin is no Flash but it still has (and continues to have) a decent install base so I'd definitely be interested in keeping things as secure as possible. For now I'm sticking to the npruntime approach suggested by Antoine near the beginning of this thread and it works fine on both Chrome and Firefox. I'm hesitant to go back to the NPN_GetURL with javascript since a future update for Chrome might decide to break it :) As demonstrated by the link above, I realize that it is still not secure. So if there are better ideas, please let me know.
Adam, I'd appreciate even a high-level proposal from you; it doesn't have to be detailed. As long as it can work cross-browser I can dig into the details. It may be complex but it can't be that complex :) Thanks for all your time on this! On Jun 9, 9:50 am, Adam Barth <[email protected]> wrote: > On Tue, Jun 9, 2009 at 9:33 AM, John Abd-El-Malek<[email protected]> wrote: > > On Wed, Jun 10, 2009 at 12:30 AM, Adam Barth <[email protected]> wrote: > >> I'm hesitant to say because I don't want Vijay to treat this as advice > >> on the "right" way to determine which page included his plug-in. The > >> approach of trying to read the document's location via JavaScript is > >> fundamentally insecure. > > > I think if we tell someone not to do something because it's insecure, we > > need to at least tell them about the most secure way we know about, even if > > it's not perfect. IMO unless Vijay's plugin's is on a large number of > > machines, it won't be a an attractive target for attackers. > > I do know a secure way to do this, but it's extremely complex. I > don't think it would be responsible for me to try to explain it in > this thread because I'd probably screw up the explanation. I should > document it carefully sometime, but that's not high on my list of > priorities. > > Adam --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
