On Thu, Jun 18, 2009 at 4:58 PM, John Gregg <[email protected]> wrote:
> Hi all, > > I'm working on a desktop notifications javascript API for web apps; on Mac > these calls will go out to the Growl notification system if it's installed > and user has granted permission to get notifications from that origin. I'm > still trying to completely grasp the sandbox architecture, so the question I > need some input on is how to design the integration with respect to > sandboxing & security. > > The Growl code that would be included in Chrome is just a stub that works > by marshalling data over to a separate Growl process, so the surface area is > small, but as a design question, is calling to a third-party library > something that should happen in the sandboxed renderer process, or should it > be kept in the browser process? One other factor is that the notification > requires an icon to be downloaded, which should happen outside the sandbox. > > So there are two possible flows: > > A. renderer gets notification(iconURL, text) call => hop to browser to > download icon => call Growl from browser > > B. renderer gets notification(iconURL, text) call => hop to browser to > download icon => pass back icon data to renderer => call Growl from renderer > > My instinct is that B is safer for the remote possibility that Growl chokes > on the input and causes a crash. What do people think? Is there an > existing precedent for similar library calls? B won't (shouldn't) work because of the sandboxing, if the renderer can talk to the Growl helper app, there's a vector open for talking to any application. TVL > > Thanks, > -John > > > > --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
