Sometimes, you want to restrict an NPAPI plugin to be loadable only from a certain URL or domain or scheme. Or whenever you make network requests yourself, you almost always need to enforce same-origin policy.
There's unfortunately no trivial way to do that, but you can still do it, by asking the browser for the page URL during plugin initialization. Then you can just refuse to do anything, if you don't like the URL, or you can compare it with the other URL you want to contact.
So, how do we get at that page URL, i.e. the URL of the HTML which embeds the plugin, i.e. which caused the plugin to load?
There are at least 3 solutions (quoting newsgroup posts):
Via window location
From Robert Platt:
// Get the Dom window object. NPN_GetValue( m_pNPInstance, NPNVWindowNPObject, &sWindowObj ); // Create a "location" identifier. NPIdentifier identifier = NPN_GetStringIdentifier( "location" ); // Declare a local variant value. NPVariant variantValue; // Get the location property from the window object (which is another object). bool b1 = NPN_GetProperty( m_pNPInstance, sWindowObj, identifier, &variantValue ); // Get a pointer to the "location" object. NPObject *locationObj = variantValue.value.objectValue; // Create a "href" identifier. identifier = NPN_GetStringIdentifier( "href" ); // Get the location property from the location object. bool b2 = NPN_GetProperty( m_pNPInstance, locationObj, identifier, &variantValue );
This code is just a rough example. Remember to release any references after using them.
- Uses NPAPI only
- Works in most browsers
- Does not work in Mozillas older than Firefox 1.0
From Braden McDaniel:
If you want the URI of the resource for which the plug-in is invoked, the most NPAPI-friendly way to do that is to get it from the
NPStream that is passed to
- NPAPI only
- Probably works in all browsers, all versions
- Is sort of backwards (?)
- Advantages / disadvantages ?
From Benjamin Smedberg:
The NPAPI gives you the ability to get access to the nsIDOMWindow object which contains the current plugin via the NPNVDOMElement enum passed to
NPN_GetValue. This returns an addrefed nsIDOMElement interface pointer from which you can call
.ownerDocument (on nsIDOMNode), QueryInterface that object to nsIDOM3Document, and call
- is inherently incompatible with other non-Mozilla browsers (i.e. does not work in Opera, Safari etc.)
- compatible with older versions of the Mozilla (probably back to Mozilla 1.0)
- requires C++