Posting Application

Posting Application

Status: testing
This specification is being tested in the Firefox and Chrome extensions.

A posting application is an application that generates a new Privly URL. Injectable Application often do the work of generating their link and displaying it within the page, but in some cases it is useful to separate the application for generating a new link from the applications intended to view the content.

A user will be able to specify any posting application by giving the extension the application's address. The extension will come with several pre-packaged posting applications which are served directly from the extensions. The high-level process for posting a new Privly-type link is:

1. The user selects the form element they want to post the link to (this often through a right click of the mouse)
2. The extension opens a web application for the current posting application and messages the current contents of the host page's form element.
3. When interaction with the posting application completes, it fires a privlyUrl event
4. The extension places the URL into the host page's form element
5. The extension closes the posting application's window

Sending the URL to the Extension

When the posting application creates a new link, the application will fire an event containing the URL for the extension to add to the host page.

Example Posting Application Event:

var url = "" //the Privly formatted URL
var urlEventElement = document.createElement("privlyEventSender");  
urlEventElement.setAttribute("privlyUrl", url);  
document.documentElement.appendChild(urlEventElement);  
var evt = document.createEvent("privlyEvents");  
evt.initEvent("PrivlyUrlEvent", true, false);  
urlEventElement.dispatchEvent(evt);

When we integrate the compiled encryption library, the posting applications will have API access to the user's public and private key. Most users will only use the pre-packaged applications, but they will have the option of using posting applications hosted on remote servers.

See Also: List of Current Injectable Applications

Sending Content to the Posting Application

Different browsers have different methods of securely communicating with web applications, but we need a consistent way to securely manage the communication. A common problem is platform differences in the way messages are handled, which prevents common code for verifying sender identity. To abstract away the differences, we send a message from the posting application to the extension using an event. The event is fired with a secret identifier, which can only be captured by the extension. All subsequent messages will then contain the secret identifier, and the application will trust the data.

var secret = Math.random().toString(36).substring(2) + 
             Math.random().toString(36).substring(2) +  
             Math.random().toString(36).substring(2);
var messageSecretElement = document.createElement("privlyEventSender");  
messageSecretElement.setAttribute("privlyMessageSecret", secret);  
document.documentElement.appendChild(messageSecretElement);  
var evt = document.createEvent("privlyEvents");  
evt.initEvent("PrivlyMessageSecretEvent", true, false);  
messageSecretElement.dispatchEvent(evt);

Note that this code will only be as strong as the local implementation of Math.random(). The random secret will be 48 characters long as shown above. You should also be careful to check on individual platforms that this message will not be captured by another application.

The extension will then be able to optionally answer back with a message containing the content of the form element where the link will be placed. For example, the extension could send a message to the posting application with the postMessage sequence shown below:

var secretMessage = "The random identifier sent by the posting application";
var currentContent = "The content found in the form element receiving the final URL";
var postingApplicationWindow = "The window object for the current posting application window";
postingApplicationWindow.postMessage(secretMessage + currentContent);

Here the content is prefixed by the secret message contained in the event sent by the posting application.

This process needs scrutiny since it will likely be an integral component of the communication channel with the encryption library.