Is there any free NPAPI plugin that could provide full access to local file system?
Maybe there are some ready-for-use universal plugins which provide access to many OS native api functions?
Such a plugin would be highly dangerous; Generally people are bright enough not to leave things like that just laying around.
You could build such a thing using FireBreath, but it is very difficult to lock it down enough that nobody could create a malicious website that would use it to trash your computer.
Related
I would like to build a Chrome multimedia extension.
I would like this extension to communicate with another process (using a "memory-mapped file" (https://msdn.microsoft.com/en-us/library/ms810613.aspx). Is it possible?
From the NaCl FAQ:
If I want direct access to the OS, should I use Native Client?
No—Native Client does not provide direct access to the OS or devices,
or otherwise bypass the JavaScript security model. For more
information, see later sections of this FAQ.
If it is not possible to use memory-mapped files in NaCl's sandbox, is there any other way to build such plugin?
My extension would be used only by me, so I can accept security flaws.
Short answer: No. The sandbox is designed to prevent that kind of thing. The only way to use APIs other than the Pepper APIs (or of course those available in JavaScript) would be to install a native app in the OS, and communicate with it from a web app or extension using Native Messaging:
https://developer.chrome.com/extensions/nativeMessaging (that might be a good solution for you since it sounds like communicating with another process is what you want to do anyway).
I want to port a web game from firebreath to ppapi,
the old implemention is:
firebreath plugin pass window's HWND to a other process
in the other process,render and update the game
I read some doc of ppapi, it seems that there is no way to get HWND,
Can some one give me an idea?
There are a couple of important things to know about this:
1) PPAPI by itself is only supported for certain built-in plugins, such as flash. You can enable additional ones but only using command-line flages, so it's not viable for any real use.
2) The one place you can use PPAPI is in a NACL/pNACL plugin, where you generally just talk about using NACL (Native Client) rather than worrying about the name of the API; NACL is designed specifically to not allow you to access system APIs such as the HWND or anything that would use an HWND.
So the short answer is "no, there is no way to do what you want". The longer answer is that most likely what you want to do will require rewriting as needed to use OpenGL ES w/ NACL. The good news is that this is the same OpenGL that is available on mobile platforms, so with a game you might be able to leverage that.
I'm writing a small chrome extension for personal use and I would like to run an executable via the context menu and pass certain information as arguments to said executable.
What the simplest and/or cleanest way to achieve this? To me it seems that it is impossible due to chrome's sandboxing.
This can be accomplished via NPAPI Plugins.
Code running in an NPAPI plugin has the full permissions of the
current user and is not sandboxed or shielded from malicious input by
Google Chrome in any way. You should be especially cautious when
processing input from untrusted sources, such as when working with
content scripts or XMLHttpRequest.
However, I should also include their warning.
Warning
NPAPI is being phased out. Consider using alternatives.
NPAPI is a really big hammer that should only be used when no other
approach will work.
via Start an external application from a Google Chrome Extension?
Alternatives to NPAPI
There are several alternatives to NPAPI. In cases where standard web
technologies are not yet sufficient, developers and administrators can
use NaCl, Apps, Native Messaging API, and Legacy Browser Support to
transition from NPAPI. Moving forward, our goal is to evolve the
standards-based web platform to cover the use cases once served by
NPAPI.
via http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html
Another way, suggested here, is with Java.
Java applets: http://docs.oracle.com/javase/tutorial/deployment/applet/
Implementing Policy: http://docs.oracle.com/javase/tutorial/security/userperm/policy.html
Use sendNativeMessage:
There is chrome.runtime.sendNativeMessage which can be used to send a
message to a native application and chrome.runtime.connectNative which
allows for a more persistent connection.
So, you can't directly execute a command, but you can have a native
app do it for you.
You can find more info on Native Messaging in the docs.
via https://stackoverflow.com/a/19917672/1085891
I need to develop a mini ClickOnce plugin for Firefox, Chrome, Operah and Safari (preferably, one that works on all of the above).
My plugin needs to be able to run an application in a one-click fashion. In other words, by going to a specific URL, my application will run on the target machine (no prompts / dialogs shown). Unfortunately, ClickOnce is only available with IE, and I am unhappy with the ClickOnce plugins that currently exist. I would like to develop a tailored ClickOnce plugin that suits my specific needs.
I read about FireBreath, which sounded like a perfect solution for me. I also read about the difference between an extension and a plugin and I think a plugin is what I am looking for. I just wanted to make sure with you guys that I am on the right path. Is what I want to achieve possible with FireBreath / NPAPI plugins? Can a plugin download an executable and then run it on a target machine?
Yes, NPAPI will allow you to do what you want. You can run arbitrary native code using an NPAPI plugin, and control it via JavaScript on the web page side. Users will have to download and install your plugin though, so it only makes sense if this is something users will use more than once.
You'll obviously have to be very, very careful about security though. If you make a plugin whose sole purpose is to download and run code without user interaction then you'll need to be absolutely certain that there's no way for a malicious page to use your plugin.
I need to write a browser plugin to communicate with another process, and it seems I have to use NPAPI plugins. Is there any example or open source NPAPI plugin I can refer to?
Many thanks for your reply.
Summary of answers
http://mxr.mozilla.org/seamonkey/source/modules/plugin/samples/
http://www.firebreath.org/
http://code.google.com/p/nixysa/
http://code.google.com/p/npapi-file-io/
2 and 3 are both frameworks to make plugin development easier.
I found one example at
http://mxr.mozilla.org/seamonkey/source/modules/plugin/samples/
you could also use the open source FireBreath plugin framework; they are nearing a 1.0 release for windows only, but it would not be hard to port it to linux; mac os shouldn't be bad either, but it will take a little work to get CMake to generate the correct bundle type =]
Yes, I am one of the primary maintainers, so I'm a bit biased. You can also find some good general information on how NPAPI works on my blog, starting here:
http://colonelpanic.net/2009/03/building-a-firefox-plugin-part-one/