Sometimes, you want to restrict a plugin to be loadable only from a certain URL or domain or scheme. Or whenever you make network requests yourself, you almost always need to enforce same-origin policy.
There's unfortunately no trivial way to do that, but you can still do it, by asking the browser for the page URL during plugin init. Then you can just refuse to do anything, if you don't like the URL, or you can compare it with the other URL you want to contact.
So, how do we get at that page URL, i.e. the URL of the HTML which embeds the plugin, i.e. which caused the plugin to load?
There are at least 3 solutions (quoting newsgroup posts):
Via window location
From Robert Platt:
// Get the window object. NPN_GetValue( m_pNPInstance, NPNVWindowNPObject, &sWindowObj ); // Create a "location" identifier. NPIdentifier identifier = NPN_GetStringIdentifier( "location" ); // Declare a local variant value. NPVariant variantValue; // Get the location property from the window object (which is another object). bool b1 = NPN_GetProperty( m_pNPInstance, sWindowObj, identifier, &variantValue ); // Get a pointer to the "location" object. NPObject *locationObj = variantValue.value.objectValue; // Create a "href" identifier. identifier = NPN_GetStringIdentifier( "href" ); // Get the location property from the location object. bool b2 = NPN_GetProperty( m_pNPInstance, locationObj, identifier, &variantValue );
This code is just a rough example. Remember to release any references after using them.
From Braden McDaniel:
If you want the URI of the resource for which the plug-in is invoked, the most NPAPI-friendly way to do that is to get it from the NPStream that is passed to NPP_NewStream.
(Incompatible with non-Mozilla browsers)
From Benjamin Smedberg:
The NPAPI gives you the ability to get access to the nsIDOMWindow object which contains the current plugin via the NPNVDOMElement enum passed to NPN_GetValue. This returns an addrefed nsIDOMElement interface pointer from which you can call .ownerDocument (on nsIDOMNode), QueryInterface that object to nsIDOM3Document, and call .documentURI.
Christian Biesinger adds:
This way of getting the URI is also compatible with older versions of the browser ..., but has the downside of requiring C++. (and is inherently incompatible with other browsers implementing the NPAPI)