Ruiyi Chen suggested to use English in this mailing list, so I create
a new thread in English for discussing security issues, forwarding
Johnny Ding's comment about security. Thanks Johnny!
2011/11/23 Johnny Ding <j...@google.com>:
One more thing , the security issue will be a big Challenge for
ActiveX bridge in non-IE browsers because currently there is no non-IE
browser to check the security property of NPAPI plugin (like digital
certificate) as I know, if the plugin is compromised, the user's
confidential information will be leak.
By the way, you may want to check the Pepper API for the new
generation plugin architecture.
2011/11/17 Qian Hong <frac...@gmail.com>:
> 关于安全性的问题,希望可以向各位请教。
--
Regards,
Qian Hong
-
Sent from Ubuntu
http://www.ubuntu.com/
Currently np-activex is available in Chrome Web Store[1], any plugins
uploaded to Chrome Web Store must be packaged to .CRX package [2]
first. According to [2], the package itself is signed, can we trust
the plugin in this case?
> By the way, you may want to check the Pepper API for the new
> generation plugin architecture.
Good idea. Pepper API plugin is sandboxed, so it will be much more
safe than npapi plugin.
However, we may have other problems here. NPAPI plugin is platform
dependent but Pepper API is not[3]. We can conveniently use NPAPI
plugin to build a bridge for ActiveX, which is another platform
dependent plugin on Win32 , but how can we build a bridge for ActiveX
using a platform independent api?
Thanks!
[1]https://chrome.google.com/webstore/detail/lgllffgicojgllpmdbemgglaponefajn
[2]http://code.google.com/chrome/extensions/crx.html
[3]http://www.chromium.org/nativeclient/getting-started/getting-started-background-and-basics
It seems someone had tried to port Wine to Native Client but no luck yet.
http://wiki.winehq.org/NaCl
If Wine can be ported to Native Client, then in theory all platforms
support Chrome will support ActiveX in a safe way.