[Mozilla-embedding list -- I thought you might be interested in this information about how we handled some of the embedding issues we encountered in Participatory Culture Foundation's Democracy Player, an integrated Bittorrent client, RSS client, and video player that, in its Windows port, is done up entirely in XUL and Python using multipart/x-mixed-replace and a bit of PyXPCOM glue. See getdemocracy.com/develop.participatoryculture.org for more on the project, or see bug 325497 for the PyXPCOM patch I wrote to make PyXPCOM embedding work right in standalone applications.] On Apr 10, 2006, at 12:05 PM, Karel-Jan Van Haute wrote:
I would blush, but the credit is due to our excellent graphic designers for the "art" :)
The short answer is "we run a webserver on 127.0.0.1, and use AJAX techniques (XMLHTTPRequest and similar) to send commands to that webserver from _javascript_." The long answer: This is tricky, because you want to do it in a secure way so that not just any website can invoke functions in the program (in case there are offsite links in the channel guide, for example), you want to limit what the website can do, and you want to support different versions of the client and the website whose internal implementation details might change. What we did is: 1) When Democracy loads the channel guide, it passes two GET parameters, a cookie and a URL. The channel guide remembers these in a server-side session structure using cookies. 2) At the top of every page, the channel guide spits out code to load the contents of the URL as _javascript_ and then call a 'dtvapiInitialize' startup function passing the cookie. The cookie proves that the webpage is authorized to call the API. After that, the page can call other functions with names like 'dtvapiAddChannel' to perform whatever actions it wants to. 3) The URL points to a webserver run by the Democracy client on 127.0.0.1 on some private port (this is actually how all communication between Mozilla and backend happens in Democracy, using various AJAX techniques. We tried a lot of different approaches but this one was cleanest.) That webserver serves up a static _javascript_ file from disk that contains definitions of the functions to start up the channel guide API, add a channel, etc. This way, we can release a new version of the client that works a different way internally without modifying the channel guide server and juggling multiple versions. 4) In Democracy, on the Windows platform where we use Mozilla, dtvapiInitialize just stores the cookie in a global variable, and dtvapiAddChannel and friends just use that cookie and the arguments to the function to load a URL containing the cookie and the function parameters as arguments. For our writeup of the interface between the channel guide website and the client, see: In particular, you should read the 'security' section to see why we separated out the cookie and the URL, and to learn about the checking we do on the URL parameter provided to the channel guide to avoid a security problem. For the actual _javascript_ we use to implement the API, see our repository: In particular, you can see how we hacked around Mozilla's rule that unprivileged pages can only XMLHTTPRequest to the same website that sent them (the "same-origin policy".) Previously we flagged the page as privileged, but that could create other security problems. (Note that the security provided by the cookie is not that strong right now -- it's just the port number. But this is something we can fix entirely client-side in a future release.) Hope it helps -- Geoff Schmidt Participatory Culture Foundation |
_______________________________________________ dev-embedding mailing list [email protected] https://lists.mozilla.org/listinfo/dev-embedding
