Skip to content

Zotz and the limitations of the Zotero plugin framework

Zotz Developer's Guide – SIMILE has a useful warning to all who work on developing Zotero plugins:

Zotz is a Zotero add-on, but it's written as a regular Firefox extension: the nature of firefox extensions all living in the same address space allows extensions to invoke each other internal methods, which means that Zotz can extend Zotero without Zotero having to expose special APIs for this.

While this is a very powerful mechanism, it is also insecure and fragile.

Insecure because it allows potentially malicious extensions to do act uncontrolled inside your browser (stealing your data and/or altering the browser or the extensions' own activities) and fragile because Zotero might change internal APIs not knowing that Zotz dependend on them and would immediately break Zotz functionality.

There is currently no better way to do things so we're stuck with it for the time being, but being aware of the situation helps forecast future development needs and potential issues that could arise.

Post a Comment

You must be logged in to post a comment.