Friday, May 30, 2008

One of the details of Yahoo! BrowserPlus that people picked up on was the fact that it only runs against Yahoo! properties.

However, some folks have hacked that restriction so they can play with it locally, and assume that Yahoo! wouldn't like this.

Skylar Woodward of Yahoo! has posted that this isn't the case at all:

BrowserPlus was more-or-less designed to be hacked. Not hacked in the “I want to steal innocent users data and delete their files” sort of way, but in a manner that allows experimentation and freedom without compromising the security of pedestrian users. There’s more there to be mined, but enabling local development is a good place to start.

And goes on to show how you can get rid of the restriction:

Currently, BrowserPlus is restricted to Yahoo! sites; that includes restrictions for running local files. A simple addition to our test file exposes the error:



  2. else {greeting = "BrowserPlus is hiding. ("+res.verboseError+")";}


The error BP_EC_UNAPPROVED_DOMAIN confirms the local domain (file://) isn’t permitted. That means it’s time to dig into the BP configuration files. On Mac these are in

/Users/[you]/Library/Application Support/Yahoo!/BrowserPlus/

On Windows XP, you’ll find them in something akin to

c:\\Documents And Settings\[you]\Local Settings\Application Data\Yahoo!\BrowserPlus\

and on Windows Vista…


In the Permissions folder is a file similarly named which is what we’re looking for. Opening it up we see:



  2. "whitelist" : [

  3.         "^http(s?)://(.*)\\.yahoo\\.com$",

  4.         "^http(s?)://(.*)\\.yahoo\\.com:[0-9]+$"

  5.     ],


The intuitive addition to this list is:



  2. "whitelist" : [

  3.         "^http(s?)://(.*)\\.yahoo\\.com$",

  4.         "^http(s?)://(.*)\\.yahoo\\.com:[0-9]+$",

  5.         "^file://$"

  6.     ],


The file is modified, but BrowserPlus hasn’t picked up the changes yet. The clean way to force this is to close all open browser windows. (BrowserPlus shuts down when no pages are using it.) The dirty way to do this is to search for BrowserPlusCore in your process list and kill it using your favorite platform-available tool. Either way, after opening test.html back up we should see our “Hello World.” Sweet - now we’re ready to start playing.

There is one final catch. BrowserPlus is fairly proactive about security so it helps to know that the permissions file will be overwritten on a regular basis. The savvy way around this would be a simple build script or at least a handy copy of our modified permissions file that we can use to reapply the changes in between development sessions. We might also test for BP_EC_UNAPPROVED_DOMAIN somewhere in our init callback to scream if the temporary development environment is disrupted.

No comments:

Post a Comment