At Fri, 28 Apr 2006 13:49:38 +0200, Pierre THIERRY <[EMAIL PROTECTED]> wrote: > > [1 <multipart/signed (7bit)>] > [1.1 <text/plain; us-ascii (quoted-printable)>] > Scribit Marcus Brinkmann dies 28/04/2006 hora 01:51: > > > I'm not sure if the powerbox shoudl allow such potentially malicious > > > behaviour: if the resource is for a plugin, shouldn't the powerbox > > > be able to tell the user that the plugin indeed will be the > > > recipient of the capability? > > It can't, because it is the powerbox of the browser. The plugin does > > not have its own powerbox. > > Why?
Bas explained it, but let me at some more detail. You could let the browser ask the shell to start the plugin. In this case, _if_ the shell complies (which would require authorization by the user, direct or indirect), then the plugin would get its own space bank reserve, powerbox etc, and would exist co-equal to the browser, with some communication channel between them. However, we don't think of the plugin as co-equal to the browser, so that's not the design pattern we want to use. I also think that things are much more manageable for the user if as much coordination between processes is localized among them. The user doesn't necessarily know what a plugin is or does, so we should leave all this stuff to the browser. But, having said that, I also think, at least provisionally, it is useful to let the browser _advise_ the user about the planned use of a resource like a file, from the powerbox (with all the caveats we agreed upon already - like making clear that the browser may not cooperate etc). Thanks, Marcus _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
