1<div id="pageData-name" class="pageData">NPAPI Plugins</div> 2 3<p> 4Leveraging HTML and JavaScript 5makes developing new extensions really easy, 6but what if you have existing legacy or proprietary code 7that you want to reuse in your extension? 8You can bundle an NPAPI plugin with your extension, 9allowing you to call into native binary code from JavaScript. 10</p> 11 12<h2>Warning</h2> 13 14<p align="center"><b>NPAPI is a really big hammer that should only be used when no other approach will work.</b> 15 16<p>Code running in an NPAPI plugin has the full permissions of the current user and is not sandboxed or shielded from malicious input by Google Chrome in any way. You should be especially cautious when processing input from untrusted sources, such as when working with <a href="content_scripts.html#security-considerations">content scripts</a> or XMLHttpRequest. 17 18<p>Because of the additional security risks NPAPI poses to users, extensions that use it will require manual review before being accepted in the 19<a href="https://chrome.google.com/webstore">web store</a> or 20<a href="https://chrome.google.com/extensions">extension gallery</a>. 21 22<h2>Details</h2> 23 24<p> 25How to develop an NPAPI plugin is outside the scope of this document. 26See <a href="https://developer.mozilla.org/en/Plugins">Mozilla's 27NPAPI plugin reference</a> for information on how to do that. 28</p> 29 30<p> 31Once you have an NPAPI plugin, 32follow these steps to get your extension using it. 33</p> 34 35<ol> 36 <li> 37 Add a section to your extension's <code>manifest.json</code> 38 that describes where to find the plugin, 39 along with other properties about it: 40 41<pre>{ 42 "name": "My extension", 43 ... 44 <b>"plugins": [ 45 { "path": "content_plugin.dll", "public": true }, 46 { "path": "extension_plugin.dll" } 47 ]</b>, 48 ... 49}</pre> 50 51 <p> 52 The "path" property specifies the path to your plugin, 53 relative to the manifest file. 54 The "public" property specifies whether 55 your plugin can be accessed by regular web pages; 56 the default is false, 57 meaning only your extension can load the plugin. 58 </p> 59 </li> 60 61 <li> 62 Create an HTML file that loads your plugin by mime-type. 63 Assuming your mime-type is "application/x-my-extension": 64 65<pre> 66<embed type="application/x-my-extension" id="pluginId"></embed> 67<script> 68 var plugin = document.getElementById("pluginId"); 69 var result = plugin.myPluginMethod(); // call a method in your plugin 70 console.log("my plugin returned: " + result); 71</script></pre> 72 73 <p> 74 This can be inside a background page 75 or any other HTML page used by your extension. 76 If your plugin is "public", 77 you can even use a content script to programmatically 78 insert your plugin into a web page. 79 </p> 80 </li> 81</ol> 82 83<h2 id="security-considerations">Security considerations</h2> 84 85<p> 86Including an NPAPI plugin in your extension is dangerous because plugins 87have unrestricted access to the local machine. If your plugin contains 88a vulnerability, an attacker might be able to exploit that vulnerability 89to install malicious software on the user's machine. Instead, avoid 90including an NPAPI plugin whenever possible. 91</p> 92 93<p> 94Marking your NPAPI plugin "public" increase the attack surface of your 95extension because the plugin is exposed directly to web content, making 96it easier for a malicious web site to manipulate your plugin. Instead, 97avoid making your NPAPI plugin public whenever possible. 98</p> 99 100