URL Specification

smcgregor edited this page Nov 26, 2014 · 15 revisions

Status: testing

Working Draft for Version 4 of URL format.

Revision History

  • Working Draft for Version 4.1, Removes passive mode and passive messages
  • Working Draft for Version 4, Introduces Injectable Application Selection
  • Working Draft for Version 1, URL format: Basic URL format


Privly will support any domain, but initially we will have a short default whitelist for automatic injection. The whitelist combined with the user preferences will set the link's mode of operation.

Developers can currently modify their whitelist.


This URL format places parameter strings in the URL anchor as well as the parameter string. Parameters in the anchor text are never sent to the remote server, whereas server parameters are. In cases where the parameter is specified in both the parameter string and the anchor text, the anchor parameter is ignored.

There are three types of parameters, outlined below.

Content Script Parameters

The content script parameters give additional instructions to the content script on how to handle a Privly-type link. Only one of these parameters is currently required. The other parameters influence the operation mode of the link.

  • privlyInject1 (Required): Indicates the link is capable of being injected.
  • privlyBurntAfter: specifies a time in seconds in the Unix epoch until the content is likely destroyed on the remote server. Destruction of the content should result in a change of message, but not a request to the remote server for the content
  • privlyExclude: Force the link to not be injected

Extension Parameters

When the injectable application is served from remote code, the injected application's iframe has the same source URL as the URL found on the host page. When the user has a Privly extension installed, it is preferable to not execute the remote code, and the application is instead served directly from the extension. Serving the application locally means it is no longer served from the same domain as the content server. Since the domain of the injected application does not match its content, a cross domain request must be made by the extension.

  • privlyApp: Indicates which application should be served from local storage if it is available. If the injectable application is not found in local storage, then it is not injected.
  • privlyDataURL: The injected web application fetches the content from this URL. When the application is injected by an extension, the content found at this URL will be messaged to this application from the extension. If this parameter is not specified, the data URL is assumed to be the complete URL with the addition of the parameter format=json.

Injectable Application Parameters

Injectable applications often place configuration parameters on the URLs added to host pages. These special parameters need to be available to the injectable application when they are injected into the host page. The injected application will either be served from the extension directly or from the domain hosting the content. When the extension serves the application locally, it must provide the original link to the injectable application.

  • privlyOriginalURL: The original link found in the host page. This link is broken up by the injected application.

For more information about the parameters required by injectable applications, look at specific injectable applications.


This version introduces the selection of an injectable application in the URL. Future versions should have the content server determine the injectable application without the link needing to specify it. Putting the application name into the hyperlink provides the host page with knowledge of the type of data behind the link.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.