Hacking BrowserPlus

Wow. It’s pretty cool to see so much excitement about BrowserPlus just a day after putting it into public view. Truly, its humbling. Already many folks seem eager to go beyond experiencing it and actually start tinkering, building – and some have. It requires a bit of tenacity to uncover but actually, everything you need to get started is at your fingertips. Let’s look at what it takes to start hacking.

First, there’s the core BrowserPlus javascript API. The latest copy is at

In this file are all the functions outlined in the code samples along with a full under-the-hood look at what is going on in many of the calls. The two key functions you’d need to know are init() and require(). (See the linked samples for usage.) Putting this together we can create a simple local file, test.html:

<script class="javascript"
<script class="javascript">
  YAHOO.bp.init(function(res) {  
    var greeting;
    if(res.success) {greeting = "BrowserPlus says, Hello World.";}
    else {greeting = "BrowserPlus is hiding.";}


This is a simple document that will attempt to initialize BrowserPlus. If it succeeds, it writes “Hello World” to the document body. If you run this sample in your BrowserPlus-enabled browser it will fail. Why? Currently, BrowserPlus is restricted to Yahoo! sites; that includes restrictions for running local files. A simple addition to our test file exposes the error:

  else {greeting = "BrowserPlus is hiding. ("+res.verboseError+")";}

The error BP_EC_UNAPPROVED_DOMAIN confirms the local domain (file://) isn’t permitted. That means it’s time to dig into the BP configuration files. On Mac these are in

  /Users/[you]/Library/Application Support/Yahoo!/BrowserPlus/

On Windows XP, you’ll find them in something akin to

  c:\\Documents And Settings\[you]\Local Settings\Application Data\Yahoo!\BrowserPlus\

and on Windows Vista…


In the Permissions folder is a file similarly named which is what we’re looking for. Opening it up we see:

    "whitelist" : [

The intuitive addition to this list is:

    "whitelist" : [

The file is modified, but BrowserPlus hasn’t picked up the changes yet. The clean way to force this is to close all open browser windows. (BrowserPlus shuts down when no pages are using it.) The dirty way to do this is to search for BrowserPlusCore in your process list and kill it using your favorite platform-available tool. Either way, after opening test.html back up we should see our “Hello World.” Sweet – now we’re ready to start playing.

There is one final catch. BrowserPlus is fairly proactive about security so it helps to know that the permissions file will be overwritten on a regular basis. The savvy way around this would be a simple build script or at least a handy copy of our modified permissions file that we can use to reapply the changes in between development sessions. We might also test for BP_EC_UNAPPROVED_DOMAIN somewhere in our init callback to scream if the temporary development environment is disrupted.

That’s a lot of under-the-hood detail, but the takeaway is that BrowserPlus was more-or-less designed to be hacked. Not hacked in the “I want to steal innocent users data and delete their files” sort of way, but in a manner that allows experimentation and freedom without compromising the security of pedestrian users. There’s more there to be mined, but enabling local development is a good place to start. Good luck and cheers to all the curious and creative souls.

One Response to “Hacking BrowserPlus”

  1. [...] Woodward of Yahoo! has posted that this isn’t the case at all: BrowserPlus was more-or-less designed to be hacked. Not hacked in the “I want to steal innocent [...]

Leave a Reply

Copyright © 2003-2011 Skylar Woodward | Entries (RSS) and Comments (RSS).