Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Netscape Plugin Security
branch: master
Failed to load latest commit information.
testdata Initial commit
third_party Initial commit
COPYING Initial commit
ChangeLog Initial commit
Info.plist Initial commit
Makefile Initial commit
NOTICE Initial commit
README Initial commit
apple.c Initial commit
config.c Initial commit
config.h Initial commit
export.c Initial commit
export.h Initial commit
instance.c Initial commit
instance.h Initial commit
linux.c Initial commit
log.c Initial commit
log.h Initial commit
netscape.c Initial commit
netscape.h Initial commit
nssecurity.ini Initial commit
platform.h Initial commit
policy.c Initial commit
policy.h Initial commit
util.c Initial commit
util.h Initial commit



This is a NPAPI plugin intended to intercept the loading of other plugins and
apply simple policy decisions. The intention is to allow enterprise
administrators to deploy deprecated, unreliable or unsafe third party plugins
while minimising the security exposure.

The plugin works by proxying api calls from the browser to all the configured
plugins and inserting small shims that verify that the administrative policy is
enforced. Plugins are configured in a single global configuration file, and all
the relevant information is forwarded to the browser (MIME Types, Extensions,

You can think of this as a xinetd for browser plugins.


All configuration happens in the file /etc/nssecurity.ini, intended to be
manageable by cfengine, puppet, or other similar tools. The format is described
in the sample configuration file included.

The most basic policy decision is a domain whitelist. For example, by creating
a configuration like this:

    [Third Party Plugin]

Or on Apple systems, which use directory bundles called .plugin instead of
shared objects:

    [Third Party Plugin]
    LoadPlugin=/Library/Third Party Plug-Ins/BrowserThing.plugin

Now the plugin can only be instantiated by the domains listed. By default, the
plugins must be loaded over https, as this is the only way to have any
confidence the domain being reported by the browser is accurate. However, you
can disable the protocol checks like so if you really need it:

    [Third Party Plugin]

Currently supported directives are as follows:

    AllowInsecure           Do not require https for domains listed in
                            AllowDomains (not recommended).

    FriendlyWarning         Optional message displayed to user when a plugin is
                            disallowed, can be specified in [Global], or per-plugin

    LoadPlugin              Filename of a plugin you want wrapped with the security wrapper.

    AllowedDomains          List of domains you want to allow to load this
                            plugin, these are matched using the format described in fnmatch(3).

    PluginDescription       Description displayed by the browser when a user
                            looks at about:plugins (Linux Only, Apple use the
                            Contents of Info.plist)

There should be one [Global] section, containing default options, followed by
an arbitrary number of plugin specific sections. The name of each new section
is not important, but is displayed in some debugging message, so make it

Each plugin section requires a LoadPlugin, directive. Everything else is optional.


I find these commands useful when debugging.

$ google-chrome --user-data-dir=/tmp --plugin-launcher='xterm -e gdb -ex r --args'
$ google-chrome --user-data-dir=/tmp --plugin-launcher='xterm -hold -e valgrind'


Something went wrong with that request. Please try again.