How to write a secure NPAPI plugin that would interact only with a specific chrome extension?

Question

I want to write a chrome extension that would automatically (without user interaction) read and upload a file from the local storage based on some event. I understand this is not directly possible because of the security model of the web and browsers.

After researching online I found that this can be achieved through an NPAPI plugin. From what I understand, I can write a chrome extension that will interact (via NPRuntime API) to the NPAPI plugin and request for a file to be uploaded. The plugin would retrieve the file and respond with the file data.

Question 1: Is the architecture conceived above a reasonable/efficient way of achieving my task?

If so, then my concern is on the security of this method.

Question 2: Since my plugin would be reading (and maybe writing) stuff from (and to) local storage, how would I code it in a secure manner so that it's not misused by other malicious sites/extensions? My plugin should work only with my extension and not with any other site/extensions. How would I achieve this? In other words, what kind of measures should I take to secure the interactions between my chrome extension and NAAPI plugin so that there is no room for malicious attacks?

Answer 1

Several FireBreath users have created plugins with FireBreath for use with Chrome and packaged them inside a Chrome Extensions (CRX). If you make the plugin "private" inside the extension then only that chrome extension can use the plugin. Note that no other browsers support this method.

You could of course do the same thing with any other NPAPI plugin, but FireBreath saves you a ton of time when you don't have to implement everything yourself.