Added documentation for javascript features

1 files changed, 33 insertions, 1 deletions

diff --git a/README b/README
index 801ee34..478b0e4 100644
--- a/README
+++ b/README
@@ -161,6 +161,38 @@ The following commands are recognized:
    - remember to quote the commands; one command must come as one parameter
    - if you use `chain` with a handler script which must return some output (such as a cookie handler -- uzbl will wait for and use its output), use sync_spawn or sync_sh instead of spawn or sh in the command that should give the output
 
+### JAVASCRIPT HELPER OBJECT
+
+Javascript code run from uzbl is given a special object in the global namespace which gives special privileges to these scripts. This object is called `Uzbl`, and it is added and removed before and after the script execution so that it is hidden to web javascripts.
+
+Currently, the `Uzbl` object provides only one function:
+
+* `Uzbl.run( <command> )`
+   - command is any uzbl command as defined above
+   - return value: a string, either empty or containing the output of the command. Very few commands return their output currently, including js, script, and print.
+   - Examples:
+       * `Uzbl.run("spawn insert_bookmark.sh")`
+       * `uri = Uzbl.run("print @uri")` (see variable expansion below)
+
+### JAVASCRIPT SECURITY
+
+Since defined variables and functions are set in the global namespace (`window` object) as default, it is recommended to wrap your scripts like this:
+
+    (function(Uzbl) {
+        ...
+    })(Uzbl);
+
+This way, everything is kept private. It also turns Uzbl into a local variable, which can be accessed from callback functions defined inside. However for some situations, isolating everything isn't an option, for example, with binds. You can define them directly in the script body, and use `var Uzbl = window.Uzbl;` to make the Uzbl variable local, as in the following example:
+
+    function f() {
+        var Uzbl = window.Uzbl;
+        Uzbl.run(...);
+        setTimeout(function() {
+            Uzbl.run(...);
+        }, 500);
+    }
+
+Copying the Uzbl object and creating public functions should be taken with care to avoid creating security holes. Keep in mind that the "f" function above would be defined in the `window` object, and as such any javascript in the current page can call it.
 
 ### VARIABLE EXPANSION AND COMMAND/JAVA SCRIPT SUBSTITUTION
 
@@ -258,7 +290,7 @@ The script specific arguments are this:
 * cookie handler
 
     $8 GET/PUT
-    $9 request address host (if current page url is www.foo.com/somepage, this could be something else then foo, eg advertising from another host)
+    $9 request address host (if current page url is www.foo.com/somepage, this could be something else than foo, eg advertising from another host)
     $10 request address path
     $11 cookie (only with PUT requests)