Please note, this is a STATIC archive of website developer.mozilla.org from November 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Getting the page URL in NPAPI plugin

Sometimes, you want to restrict an NPAPI plugin to be loadable only from a certain URL or domain or scheme. Or whenever you make network requests yourself, you almost always need to enforce same-origin policy.

There's unfortunately no trivial way to do that, but you can still do it, by asking the browser for the page URL during plugin initialization. Then you can just refuse to do anything, if you don't like the URL, or you can compare it with the other URL you want to contact.

So, how do we get at that page URL, i.e. the URL of the HTML which embeds the plugin, i.e. which caused the plugin to load?

There are at least 3 solutions (quoting newsgroup posts):

Via window location

From Robert Platt:

// Get the Dom window object.
NPN_GetValue( m_pNPInstance, NPNVWindowNPObject, &sWindowObj );
// Create a "location" identifier.
NPIdentifier identifier = NPN_GetStringIdentifier( "location" );
// Declare a local variant value.
NPVariant variantValue;
// Get the location property from the window object (which is another object).
bool b1 = NPN_GetProperty( m_pNPInstance, sWindowObj, identifier, &variantValue );
// Get a pointer to the "location" object.
NPObject *locationObj = variantValue.value.objectValue;
// Create a "href" identifier.
identifier = NPN_GetStringIdentifier( "href" );
// Get the location property from the location object.
bool b2 = NPN_GetProperty( m_pNPInstance, locationObj, identifier, &variantValue );

This code is just a rough example. Remember to release any references after using them.

Tradeoffs:

  • Uses NPAPI only
  • Works in most browsers
  • Does not work in Mozillas older than Firefox 1.0

Via NPP_NewStream

From Braden McDaniel:

If you want the URI of the resource for which the plug-in is invoked, the most NPAPI-friendly way to do that is to get it from the NPStream that is passed to NPP_NewStream.

Tradeoffs:

  • NPAPI only
  • Probably works in all browsers, all versions
  • Is sort of backwards (?)
  • Advantages / disadvantages ?

Via DOM

From Benjamin Smedberg:

The NPAPI gives you the ability to get access to the nsIDOMWindow object which contains the current plugin via the NPNVDOMElement enum passed to NPN_GetValue. This returns an addrefed nsIDOMElement interface pointer from which you can call .ownerDocument (on nsIDOMNode), QueryInterface that object to nsIDOM3Document, and call .documentURI.

Tradeoffs:

  • is inherently incompatible with other non-Mozilla browsers (i.e. does not work in Opera, Safari etc.)
  • compatible with older versions of the Mozilla (probably back to Mozilla 1.0)
  • requires C++

Document Tags and Contributors

 Contributors to this page: teoli, evilpie, fracting, Ptak82, El1T0v, Sheppy, IvqTig, Nickolay, BenB
 Last updated by: evilpie,