Bug 374575 - Allow two-way communication between plugins/iframes and the host page
Summary: Allow two-way communication between plugins/iframes and the host page
Status: RESOLVED FIXED
Alias: None
Product: Orion (Archived)
Classification: ECD
Component: Client (show other bugs)
Version: 0.4   Edit
Hardware: PC Windows 7
: P3 normal (vote)
Target Milestone: 4.0 M2   Edit
Assignee: Simon Kaegi CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-17 01:35 EDT by Susan McCourt CLA
Modified: 2013-10-09 17:07 EDT (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Susan McCourt CLA 2012-03-17 01:35:36 EDT 
We've talked about the need for a small/secure "shell service" API that a plugin could use to talk to its host page.

Most of the shell services we speak of require the inner content plugin to know that it is in Orion and make specific notifications.  I could imagine:
- progress
- prompting
- notifications

But even for the most loosely coupled example (remote editor), we first need a way to invoke save.  I could imagine that we would want to pass either the raw content or a URL describing the content location.

For the Pixlr plugin, I'm using an existing API that redirects to a URL on save.  I added a saveHook.html that lives in the visual iframe and actually causes the save to happen.  This is nice because we can then give the user a chance to validate the data before saving to the workspace.  And the hosting page can ensure that the postMessage is from Orion itself (since we've redirected the plugin to the save hook).

Even so, we should have some kind of API for the save notification to be posted from the inner iframe to the parent.  For now I just rolled a custom notification.  I could imagine us formalizing this...would it be a call to the plugin registry?  or a new service called shell service?  etc.

To make progress on this issue I think we should reimplement the custom post message that I put in orion/content/saveHook.js and orion/content/content.js and have them using a middleman (shell service) with a more formal API.  Then we can start adding a few more services.
Comment 1 Susan McCourt CLA 2012-03-17 01:36:58 EDT 
Simon, I can own this bug but really need to discuss with you where we think this shell service API lives (do the notifications use the plugin registry?) etc....
Comment 2 Susan McCourt CLA 2012-04-03 11:37:20 EDT 
I talked about this with Simon.  When I wrote the bug, I was imagining some kind of "shell service" object that had a small set of API and hid the notion of the service registry and services from the plugin.  The idea being, it's a security hole to let the plugin have the service registry and services.

Simon is now talking about a plugin security model that let service providers, users, plugins, etc. define a security model.  So instead of having a "shell service" with limited API, instead, we would assign permissions to plugins.

Some plugins might be given access to the dialog service, or notification service, etc.  Some might be given read permission on the file service, or read/write, etc.

Given all this, I think this bug goes to Simon (you can rename it if you want) and I will focus on bugs like bug 371157.
Comment 3 Simon Kaegi CLA 2013-09-09 11:00:50 EDT 
An initial version is in place now that support sending objects back and forth as parameters. 

Note: objects are sent by reference so do not provide field access and all methods are converted to return a promise.

I've tried to retain backwards compatibility with the existing plugin.js however if your plugin was using events you will need to update your plugin.js at least for now.

--
There is still a lot of communication redundancy/duplication between plugin and pluginregistry that I need to clean up before marking fixed.
Comment 4 Simon Kaegi CLA 2013-10-09 17:07:30 EDT 
.