4 - The issue of loading multiple instances of a single module has come back up. For us, this means using something other than module name for the id when we put our plugin into the DOM. While the use case has never been particularly important, we all feel it's worth exploring the idea of not depending on module names for the id's since it actually is the right architecture. Currently, the hosted.html includes a static embed with the id __gwt_Plugin so this would require a more dynamic solution (Finding the plugin adjacent to our script block, or creating the DOM structure on the fly).
5 - UI for remembered settings. We're realizing that we now have some remembered settings for the plugins (Always trust this host, for instance), so we'll need UI components to un-remember these. We're currently discussing where these should be located and whether to favor the native way (configure UI in XUL for Firefox plugin or System Preference plugin for OSX, for example) or to create a consistent way (create a web UI that calls into the plugin to persist the changes). There are also some complicating factors here, like the fact that NPAPI doesn't have a standard method of talking to the chrome whereas the WebKit plugin does, so going that route will likely result in the need for an XPCOM layer on Firefox.
On Wed, May 14, 2008 at 4:03 PM, Kelly Norton <kno...@google.com> wrote:
4 - The issue of loading multiple instances of a single module has come back up. For us, this means using something other than module name for the id when we put our plugin into the DOM. While the use case has never been particularly important, we all feel it's worth exploring the idea of not depending on module names for the id's since it actually is the right architecture. Currently, the hosted.html includes a static embed with the id __gwt_Plugin so this would require a more dynamic solution (Finding the plugin adjacent to our script block, or creating the DOM structure on the fly).
Just FYI, it's very likely this doesn't even work correctly in web mode. I'm all for doing the right thing, but I wouldn't get involved in a rabbit hunt just to solve same-module-twice.
5 - UI for remembered settings. We're realizing that we now have some remembered settings for the plugins (Always trust this host, for instance), so we'll need UI components to un-remember these. We're currently discussing where these should be located and whether to favor the native way (configure UI in XUL for Firefox plugin or System Preference plugin for OSX, for example) or to create a consistent way (create a web UI that calls into the plugin to persist the changes). There are also some complicating factors here, like the fact that NPAPI doesn't have a standard method of talking to the chrome whereas the WebKit plugin does, so going that route will likely result in the need for an XPCOM layer on Firefox.
Personally, I've been kind of fond of the way Google Desktop does its settings via web app, so I'd be in favor of that. It's also bound to be far less work in the long run and most likely yield a better UI.
My opinion, but it seems to me the preferences should be presented in the way that was native to the platform. If I am setting preferences for a Firefox extension, I want to be able to use all the Firefox facilities for them (about:config, Tools->Extensions->*->Preferences, etc) -- I do not want to have to run some other app to alter the preferences.
Don't forget that there should also be a common command line way of manipulating these preferences, so that scripts that run unit tests, especially those that distribute tests across a network of machines, won't require you to go login to each machine, fire up each browser in a UI window, and uncheck a bunch of proxies. This could get *extremely* irritating if it has to be done every time.
Ah, the classic trade-off: make users or developers happier?
:-)
I'm going to go out on a limb and say that with a web UI, we could really make the users happier as well, because we could do a better UI than we'd be able to do plugging into browser settings. The other nice thing this would accomplish is that it would ensure all the settings would be tweakable via script. Obviously, there are some security considerations to that route, but having the ability to tweak the settings through script could be particularly useful for some purposes.
Bob actually brought up a really great point with regards to this. The fact is, many of our users are going to install the OOPHM plugin on several different browsers. I know you Linux guys suffer from having very few browser options, but on Windows (for example) you might install the plugin on IE, FF, and Safari in order to test out your app on all three major browsers. So the question quickly changes from the one you posed to a very different one-- "Do I want to have to learn three different ways of configuring the GWT browser plugin?"
What I think would be great would be if you could have, say, a native FF extension preferences page with one button on it, "Configure", that would launch the preferences web app. I can't imagine what could be any easier for the users.
100% agreement, Ray. Part of my feeling of doing it as a web app (if possible) is that you force the issue of allowing configuration via JavaScript-- this ensures that the kind of automated configuration you describe is possible.
For Ray's item #2, could the server send them to the plugin for each individual run ?
There are a couple of issues with this approach:1) security concerns about arbitrary JS being able to modify the preferences. You can't use the preferences to control access to the preferences, so I am not sure how you fix it without Vista-like annoying dialogs asking the user if it is ok each time.
2) for Firefox, if you allow the standard preferences to be set (even more security issues to address), these preferences are per profile and you can only have one process running in a given profile. That negates Ray's desired ability to modify them from a command line, as if that profile is already running you can't start a new browser to change them. If you don't use native Firefox preferences, then you lose the ability to have different setups in different profiles, you have to figure out where to put them on each platform, and you have to deal with all the concurrent access issues yourself.
On Fri, May 16, 2008 at 12:37 AM, John Tamplin <j...@google.com> wrote:There are a couple of issues with this approach:1) security concerns about arbitrary JS being able to modify the preferences. You can't use the preferences to control access to the preferences, so I am not sure how you fix it without Vista-like annoying dialogs asking the user if it is ok each time.That's simple: running our own web app from a preferences "Configure" page automatically works. For anyone else to get access to the API, you would have had to configure an JS access password, and the JavaScript would have to know the password in order to configure settings. You could also lock out any page that used an incorrect password to prevent guessing attacks.
firefox file://path/to/configure-oophm.html?oophm-settings-password=thepasswordiconfigured
That's simple: running our own web app from a preferences "Configure" page automatically works. For anyone else to get access to the API, you would have had to configure an JS access password, and the JavaScript would have to know the password in order to configure settings. You could also lock out any page that used an incorrect password to prevent guessing attacks.
How would the plugin verify that it is "our own web app" that couldn't be spoofed by someone else's JS code? Having the privileged XUL code set a flag before running it doesn't solve it because
On Fri, May 16, 2008 at 10:53 AM, Scott Blum <sco...@google.com> wrote:On Fri, May 16, 2008 at 12:37 AM, John Tamplin <j...@google.com> wrote:There are a couple of issues with this approach:1) security concerns about arbitrary JS being able to modify the preferences. You can't use the preferences to control access to the preferences, so I am not sure how you fix it without Vista-like annoying dialogs asking the user if it is ok each time.That's simple: running our own web app from a preferences "Configure" page automatically works. For anyone else to get access to the API, you would have had to configure an JS access password, and the JavaScript would have to know the password in order to configure settings. You could also lock out any page that used an incorrect password to prevent guessing attacks.
How would the plugin verify that it is "our own web app" that couldn't be spoofed by someone else's JS code? Having the privileged XUL code set a flag before running it doesn't solve it because
Start up our Web UI with a query param that is the current correct password and have our UI use that?