Re: Child killing UI (was Re: Reliability of RPC services)

[Marcus Brinkmann]

At Fri, 28 Apr 2006 13:49:38 +0200,
Pierre THIERRY <address@hidden> wrote:
> 
> [1  <multipart/signed (7bit)>]
> [1.1  <text/plain; us-ascii (quoted-printable)>]
> Scribit Marcus Brinkmann dies 28/04/2006 hora 01:51:
> > > I'm not sure if the powerbox shoudl allow such potentially malicious
> > > behaviour: if the resource is for a plugin, shouldn't the powerbox
> > > be able to tell the user that the plugin indeed will be the
> > > recipient of the capability?
> > It can't, because it is the powerbox of the browser.  The plugin does
> > not have its own powerbox.
> 
> Why?

Bas explained it, but let me at some more detail.

You could let the browser ask the shell to start the plugin.  In this
case, _if_ the shell complies (which would require authorization by
the user, direct or indirect), then the plugin would get its own space
bank reserve, powerbox etc, and would exist co-equal to the browser,
with some communication channel between them.

However, we don't think of the plugin as co-equal to the browser, so
that's not the design pattern we want to use.

I also think that things are much more manageable for the user if as
much coordination between processes is localized among them.  The user
doesn't necessarily know what a plugin is or does, so we should leave
all this stuff to the browser.

But, having said that, I also think, at least provisionally, it is
useful to let the browser _advise_ the user about the planned use of a
resource like a file, from the powerbox (with all the caveats we
agreed upon already - like making clear that the browser may not
cooperate etc).

Thanks,
Marcus