Discussion:
[webkit-help] NPAPI plugins [Kotteeswaran]
Kotteeswaran E
2015-12-14 09:49:39 UTC
Permalink
Hi,

Thanks for your reply which would be very helpful and useful information
that I get. In our case, we planned to give the plugin stuff to our clients
(the plugins will be developed by us only).

So I hope there is no need about security issues.

I still have one more concern that NPAPI won't work properly in mobile
environment (Saw in some post while googling). Is it the case?

If yes, what is the reason for that.

thanks & regards,
Kotteeswaran.E
Hi,
Thanks for your reply and support.
Our idea is develop a web based customized application (substitute to
android) with webkit (option A).
Our product is having wifi, BT, etc. We want to control all these via
plugins. When I was analysing this, I found NPAPI & PPAPI plugins and
security concerns. I just wanted to confirm, hacking may happen as it is
web based. When I make these calls via plugins.
If your environment does not allow execution of 3rd party plugins,
security concerns of plugin APIs should not worry you much. (Though you can
still have security issues if code of your plugins is not designed with
security in mind)
OTOH, since you don't need portability between engines, you should
probably use InjectedBundle APIs of WebKit instead of generic plugin APIs -
this way will give you more control and performance. Grep code of WebKit
for InjectedBundle, WKBundleClient, WKBundleRef to see examples of usage.
thanks & regards,
Kotteeswaran.E
Hi,
Thanks for your prompt reply.
My concern is that as Google says, the NPAPI plugins are having
security issues as they plugins are available to the hackers.
We plan to implement PPAPI & NACL in webkit instead of NPAPI Plugin
calls.
But We are not sure whether the PPAPI & NACL are portable to webkit
environment as a topic in firebreath says that Nacl is supported only in
google browsers i.e. it won't support third party browsers. And firebreath
is doing its own native messaging.
Please share ur valuable suggestions in this.
Could you specify your goals more precisely? Are you going to
a) develop native application using customized WebKit engine, with your
additions implemented via plugin, or
b) develop plugin which would be possible to use in different
WebKit-based browsers?
If the answer is (a), portability should not be a concern for you,
since you are in control of your environment, but you also don't have to
use NPAPI/PPAPI-style plugins, because you can modify engine at your will.
thanks & regards,
Kotteeswaran.E
Hi,
We are planning to develop our a webkit based GUI kind of thing.
When we browsed in the net, we came to know that Chrome and Mozilla are not
supporting NPAPI plugins due to security reasons and chrome is switching to
PPAPI plugin with NACl.
But in firebreath url, we saw that "PPAPI can be used in conjunction
with NaCL but NACl is supported only on google chrome."
Our plan is to use python based plugin based calls in our product.
Please suggest us a way to proceed.
FYI, there is a wrapper that allows running PPAPI plugin in
https://github.com/i-rinat/freshplayerplugin
Currently it is focused on running modern versions of Flash plugin
inside Firefox.
--
Regards,
Konstantin
--
Thanks & regards,
E. Kotteeswaran | Tech Lead – DVB Middleware
This message and any attachment are confidential and may be privileged
or otherwise protected from disclosure and solely for the use of the
person(s) or entity to whom it is intended. The contents is issued in
confidence for the purpose only for which it is produced. If you have
received this message in error and are not the intended recipient, please
notify the sender immediately and delete this message and any attachment
from your system. If you are not the intended recipient, be advised that
any use of this message is prohibited and may be unlawful, and you must not
copy this message or attachment or disclose the contents to any other
person.
Internet correspondence is not secure and neither Lukup Media Pvt.
Ltd. nor the sender accepts responsibility for viruses or other forms of
data corruption caused by such. It is your responsibility to scan this
e-mail and any attachments for viruses. Neither Lukup Media Pvt. Ltd. nor
the sender does accept liability for any errors or omissions in the
contents of this message or attachments that arise as a result of e-mail
transmission.
--
Regards,
Konstantin
--
Thanks & regards,
E. Kotteeswaran | Tech Lead – DVB Middleware
This message and any attachment are confidential and may be privileged
or otherwise protected from disclosure and solely for the use of the
person(s) or entity to whom it is intended. The contents is issued in
confidence for the purpose only for which it is produced. If you have
received this message in error and are not the intended recipient, please
notify the sender immediately and delete this message and any attachment
from your system. If you are not the intended recipient, be advised that
any use of this message is prohibited and may be unlawful, and you must not
copy this message or attachment or disclose the contents to any other
person.
Internet correspondence is not secure and neither Lukup Media Pvt. Ltd.
nor the sender accepts responsibility for viruses or other forms of data
corruption caused by such. It is your responsibility to scan this e-mail
and any attachments for viruses. Neither Lukup Media Pvt. Ltd. nor the
sender does accept liability for any errors or omissions in the contents of
this message or attachments that arise as a result of e-mail transmission.
--
Regards,
Konstantin
--
Thanks & regards,
E. Kotteeswaran | Tech Lead – DVB Middleware

M: +91 94811 34803 | e: ***@lukup.com <***@lukup.com>
--
*This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure and solely for the use of the person(s)
or entity to whom it is intended. The contents is issued in confidence for
the purpose only for which it is produced. **If you have received this
message in error and are not the intended recipient, please notify the
sender immediately and delete this message and any attachment from your
system. If you are not the intended recipient, be advised that any use of
this message is prohibited and may be unlawful, and you must not copy this
message or attachment or disclose the contents to any other person.*


*Internet correspondence is not secure and neither Lukup Media Pvt. Ltd.
nor the sender accepts responsibility for viruses or other forms of data
corruption caused by such. It is your responsibility to scan this e-mail
and any attachments for viruses. Neither Lukup Media Pvt. Ltd. nor the
sender does accept liability for any errors or omissions in the contents of
this message or attachments that arise as a result of e-mail transmission. *
Konstantin Tokarev
2015-12-14 10:17:23 UTC
Permalink
Hi,
Thanks for your reply which would be very helpful and useful information that I get. In our case, we planned to give the plugin stuff to our clients (the plugins will be developed by us only).
So I hope there is no need about security issues.
I still have one more concern that NPAPI won't work properly in mobile environment (Saw in some post while googling). Is it the case?
Many vendors of mobile browsers don't support NPAPI. If you build you own copy of WebKit, you may want to enable it. Though you should beware of possible issues, because there is little to no testing of NPAPI code on non-x86 platforms.

If your plugins need to draw content inside web pages, it may be hard to integrate plugins into you graphic system, since plugins operate in their own native windows, not under control of WebKit renderer.

For your conditions, I'd recommended you to avoid plugins and go for InjectedBundle and co. WebKit port that you are using may already provide some high-level API around InjectedBundle allowing you to inject custom code & content inside web pages.
If yes, what is the reason for that.
thanks & regards,
Kotteeswaran.E
Hi,
Thanks for your reply and support.
Our idea is develop a web based customized application (substitute to android) with webkit (option A).
Our product is having wifi, BT, etc. We want to control all these via plugins. When I was analysing this, I found NPAPI & PPAPI plugins and security concerns. I just wanted to confirm, hacking may happen as it is web based. When I make these calls via plugins.
If your environment does not allow execution of 3rd party plugins, security concerns of plugin APIs should not worry you much. (Though you can still have security issues if code of your plugins is not designed with security in mind)
OTOH, since you don't need portability between engines, you should probably use InjectedBundle APIs of WebKit instead of generic plugin APIs - this way will give you more control and performance. Grep code of WebKit for InjectedBundle, WKBundleClient, WKBundleRef to see examples of usage.
thanks & regards,
Kotteeswaran.E
Hi,
Thanks for your prompt reply.
My concern is that as Google says, the NPAPI plugins are having security issues as they plugins are available to the hackers.
We plan to implement PPAPI & NACL in webkit instead of NPAPI Plugin calls.
But We are not sure whether the PPAPI & NACL are portable to webkit environment as a topic in firebreath says that Nacl is supported only in google browsers i.e. it won't support third party browsers. And firebreath is doing its own native messaging.
Please share ur valuable suggestions in this.
Could you specify your goals more precisely? Are you going to
a) develop native application using customized WebKit engine, with your additions implemented via plugin, or
b) develop plugin which would be possible to use in different WebKit-based browsers?
If  the answer is (a), portability should not be a concern for you, since you are in control of your environment, but you also don't have to use NPAPI/PPAPI-style plugins, because you can modify engine at your will.
 thanks & regards,
Kotteeswaran.E
Hi,
We are planning to develop our a webkit based GUI kind of thing. When we browsed in the net, we came to know that Chrome and Mozilla are not supporting NPAPI plugins due to security reasons and chrome is switching to PPAPI plugin with NACl.
But in firebreath url, we saw that "PPAPI can be used in conjunction with NaCL but NACl is supported only on google chrome."
Our plan is to use python based plugin based calls in our product.
Please suggest us a way to proceed.
https://github.com/i-rinat/freshplayerplugin
Currently it is focused on running modern versions of Flash plugin inside Firefox.
--
Regards,
Konstantin
--
Thanks & regards,
E. Kotteeswaran | Tech Lead – DVB Middleware
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and solely for the use of the person(s) or entity to whom it is intended. The contents is issued in confidence for the purpose only for which it is produced. If you have received this message in error and are not the intended recipient, please notify the sender immediately and delete this message and any attachment from your system. If you are not the intended recipient, be advised that any use of this message is prohibited and may be unlawful, and you must not copy this message or attachment or disclose the contents to any other person.
Internet correspondence is not secure and neither Lukup Media Pvt. Ltd. nor the sender accepts responsibility for viruses or other forms of data corruption caused by such. It is your responsibility to scan this e-mail and any attachments for viruses. Neither Lukup Media Pvt. Ltd. nor the sender does accept liability for any errors or omissions in the contents of this message or attachments that arise as a result of e-mail transmission.
--
Regards,
Konstantin
--
Thanks & regards,
E. Kotteeswaran | Tech Lead – DVB Middleware
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and solely for the use of the person(s) or entity to whom it is intended. The contents is issued in confidence for the purpose only for which it is produced. If you have received this message in error and are not the intended recipient, please notify the sender immediately and delete this message and any attachment from your system. If you are not the intended recipient, be advised that any use of this message is prohibited and may be unlawful, and you must not copy this message or attachment or disclose the contents to any other person.
Internet correspondence is not secure and neither Lukup Media Pvt. Ltd. nor the sender accepts responsibility for viruses or other forms of data corruption caused by such. It is your responsibility to scan this e-mail and any attachments for viruses. Neither Lukup Media Pvt. Ltd. nor the sender does accept liability for any errors or omissions in the contents of this message or attachments that arise as a result of e-mail transmission.
--
Regards,
Konstantin
--
Thanks & regards,
E. Kotteeswaran | Tech Lead – DVB Middleware
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and solely for the use of the person(s) or entity to whom it is intended. The contents is issued in confidence for the purpose only for which it is produced. If you have received this message in error and are not the intended recipient, please notify the sender immediately and delete this message and any attachment from your system. If you are not the intended recipient, be advised that any use of this message is prohibited and may be unlawful, and you must not copy this message or attachment or disclose the contents to any other person.
Internet correspondence is not secure and neither Lukup Media Pvt. Ltd. nor the sender accepts responsibility for viruses or other forms of data corruption caused by such. It is your responsibility to scan this e-mail and any attachments for viruses. Neither Lukup Media Pvt. Ltd. nor the sender does accept liability for any errors or omissions in the contents of this message or attachments that arise as a result of e-mail transmission.
--
Regards,
Konstantin
Loading...