| # Extension Bindings |
| |
| [TOC] |
| |
| ## What Is It? |
| |
| The Bindings System is responsible for creating the JS entry points for APIs. |
| It creates the `chrome` object (if it does not exist) and adds the API objects |
| (e.g. `tabs`) that should be accessible to the context. |
| |
| ## Initialization |
| |
| Bindings are initialized by creating an ObjectTemplate from an API specification |
| and stamping out copies of this template. This means that once an API is |
| instantiated once, further instantiations within that same process are |
| significantly faster. The API itself is specified from a .json or .idl file in |
| extensions/common/api or chrome/common/extensions/api. |
| |
| This is slightly complicated because APIs may have features (such as specific |
| methods or events) that are restricted in certain contexts, even if the rest of |
| the API is available. As a result, after object instantiation, there’s a chance |
| we may have to alter the object in order to remove these unavailable features. |
| |
| ## API Features |
| |
| A "feature" of an API is a property on the API object to expose some |
| functionality. There are three main types of features exposed on APIs. |
| |
| * __Functions__: |
| Functions are the main type of feature exposed on APIs. They allow callers to |
| interact with the browser and trigger behavior. |
| |
| * __Events__: |
| Most events are dispatched when something happens to inform an interested party |
| of the instance. Callers subscribe to the events they are interested in, and |
| are notified only for subscribed events. While most events do not influence |
| behavior change in the browser, declarative events may. |
| |
| * __Properties__: |
| Certain APIs have exposed properties that are accessed directly on the API |
| object. These are frequently constants (including enum definitions), but are |
| also sometimes properties relating to the state of the context. |
| |
| ## Restriction |
| |
| Not all APIs are available to all contexts; we restrict which capabilities are |
| exposed based on multiple factors. |
| |
| ### Scope |
| |
| Features may be restricted at multiple scopes. The most common is at the |
| API-scope - where none of the API will be made available if the requirements |
| aren’t met. In this case, the chrome.<apiName> property will simply be |
| undefined. However, we also have the ability to restrict features on a more |
| granular scope, such as at the method or event level. In this case, even though |
| most of an API may be available, a certain function might not be; or, |
| conversely, only a small subset of features may be available while the rest of |
| the API is restricted. |
| |
| ### Restricting Properties |
| Feature restrictions are based on a specific v8::Context. Different |
| contexts within the same frame may have different API availabilities (this is |
| significantly different than the web platform, where features are exposed at the |
| frame-level). The bindings system takes into account context type, associated |
| extensions, URL, and more when evaluating features; for more information, see |
| the [feature documentation](/chrome/common/extensions/api/_features.md). |
| |
| ## Typical Function Flow |
| |
| The typical flow for all API methods is the same. A JS entry point (the method |
| on the API object) leads to a common native implementation. This implementation |
| has the following steps: |
| |
| * __Argument Parsing__: |
| |
| Passed arguments are parsed against an expected signature defined in the API |
| specification. If the passed arguments match the signature, the arguments are |
| normalized and converted to a serialized format (base::Value). |
| * __Request Dispatch__: |
| A request is dispatched with the parsed arguments and other information about |
| the request (such as requesting context and user gesture status). If a callback |
| is included in the arguments, it is stored (along with other information about |
| the request) until the response is received. |
| * __Request Response__: |
| A response is provided asynchronously, indicating success or failure, along with |
| any return values (to pass to a provided callback) or an error message. The |
| pending request is removed. |
| |
| ## Custom Function Hooks |
| |
| Certain APIs need to deviate from this typical flow in order to customize |
| behavior. We provide the following general custom hooks for APIs to modify the |
| typical behavior. |
| |
| * __updateArgumentsPreValidate__: |
| Allows an API implementation to modify passed arguments before the argument |
| signature is validated. This can be useful in the case of undocumented |
| (internal) parameters or properties, such as a generated ID. |
| * __updateArgumentsPostValidate__: |
| Allows an API implementation to modify passed arguments after the argument |
| signature is validated, but before the request is handled. Note: this is |
| usually bad practice, as any modification means that the arguments no longer |
| match the expected signature. This can cause headaches when we attempt to |
| deserialize these values. |
| * __handleRequest__: |
| Allows an API implementation to internally handle a request. This is useful |
| when the request itself should not go through the normal flow, such as when the |
| logic requires a greater level of involvement on the renderer, or is entirely |
| handled without needing to message the browser. |
| * __customCallback__: |
| Allows an API implementation to add a callback that should be called with the |
| result of an API function call before the caller’s callback is invoked. It is |
| the responsibility of the custom callback to invoke the original callback, which |
| is passed as an argument. This is useful when the return results should be |
| mutated before returning to the caller (which can be necessary when the eventual |
| result could be a renderer-specific concept, such as a DOMWindow). |
| |
| An API implementation may use one or more of these hooks. |
| |
| ### Registering Hooks |
| |
| Custom Hooks can be registered through either native or JS bindings. In native |
| bindings, APIs can subclass APIBindingHooksDelegate and register themselves with |
| the bindings system. This typically happens during the bootstrapping of the |
| renderer process. Native binding hooks are the preferred approach for new |
| bindings. |
| |
| We also expose hooks in JS through the APIBindingBridge object, which provides |
| a registerCustomHook method to allow APIs to create hooks in JS. This style of |
| custom hooks is __not preferred__ and will be __deprecated__. These are bad |
| because a) JS is much more susceptible to untrusted code and b) since these run |
| on each object instantiation, the performance cost is significantly higher. |
| |
| ## Events |
| |
| Events are dispatched when the associated action occurs. |
| |
| ### Types |
| |
| There are three types of events. |
| |
| * __Regular__: |
| These events are dispatched to the subscriber when something happens, and merely |
| serve as a notification to allow the subscriber to react. |
| * __Declarative__: |
| Declarative events allow a subscriber to specify some action to be taken when an |
| event occurs. For instance, the declarativeContent API allows a subscriber to |
| indicate that an action should be shown whenever a certain URL pattern or CSS |
| rule is matched. For these events, the subscriber is not notified when the |
| event happens; rather, the browser immediately takes the specified action. By |
| virtue of not notifying the subscriber, we help preserve the user’s privacy; if |
| a subscriber says "do X when the user visits example.com", it does not know |
| whether the user visited example.com. (Note: subsequent actions, such as a user |
| interacting with the action on a given page, can expose this.) |
| * __Imperative__: |
| A few events are designed to be dispatched and to return a response from the |
| subscriber, indicating an action the browser should take. These are |
| predominantly used in the webRequest API, where a subscriber can register events |
| for navigations, receive notifications of those navigations, and return a result |
| of whether the navigation should continue, cancel, or redirect. These events |
| are generally discouraged for performance reasons, and declarative events are |
| preferred. |
| |
| ### Filters |
| |
| Certain events also allow the registration of filters, which allow subscribers |
| to only be notified of a subset of events. For example, the webNavigation and |
| webRequest APIs allow filtering by URL pattern, so that uninteresting |
| navigations are ignored. |
| |
| ## Legacy JavaScript Implementations |
| |
| The prior bindings system was implemented primarily in JavaScript, rather than |
| utilizing native code. There were many reasons for this, but they include ease |
| of coding and more limited interactions with Blink (WebKit at the time) and V8. |
| Unfortunately, this led to numerous security vulnerabilities (because untrusted |
| code can run in the same context) and performance issues (because bindings were |
| set up per context, and could not be cached in any way). |
| |
| While the native bindings system replaces the core functionality with a native |
| implementation, individual APIs may still be implemented in JavaScript custom |
| bindings, or hooks. These should eventually be replaced by native-only |
| implementations. |
| |
| ## Differences Between Web/Blink Bindings |
| |
| There are a number of differences between the Extensions Bindings System and |
| Blink Bindings. |
| |
| ### Common Implementation to Optimize Binary Size |
| |
| Most Extension APIs are implemented in the browser process after a common flow |
| in the renderer. This allows us to optimize the renderer implementation for |
| space and have the majority of APIs lead to a single entry point, which can |
| match an API against an expected schema. This is contrary to Blink Bindings, |
| which set up a distinct separate entry point for each API, and then individually |
| parses the expected results. |
| |
| The Blink implementation provides greater speed, but comes at a larger generated |
| code cost, since each API has its own generated parsing and handling code. |
| Since most Blink/open web APIs are implemented in the renderer, this cost is not |
| as severe - each API would already require specialized code in the renderer. |
| |
| Extension APIs, on the other hand, are predominantly implemented in the browser; |
| this means we can optimize space by having a single parsing/handling point. |
| This is also beneficial because many extension APIs are exposed on a more |
| limited basis, where only a handful of contexts need access to them, and thus |
| the binary size savings is more valuable, and the speed cost less harmful. |
| |
| ### Signature Matching |
| |
| Signature matching differs significantly between WebIDL and Extension APIs. |
| |
| #### Optional Inner Parameters |
| |
| Unlike OWP APIs, Extension APIs allow for optional inner parameters. For |
| instance, if an API has the signature `(integer, optional string, optional |
| function)`, it may be invoked with `(integer, function)` - which would not be |
| valid in the OWP. This also allows for inner parameters to be optional with |
| subsequent required parameters, such as `(integer, optional string, function)` - |
| again, something which would be disallowed on the OWP. |
| |
| #### Unknown Properties |
| |
| Unknown properties on objects are, by default, unallowed. That is, if a |
| function accepts an object that has properties of `foo` and `bar`, passing |
| `{foo: <foo>, bar: <bar>, baz: <baz>}` is invalid. |
