211.html

Tcl 语言的入门级图书

<HTML><TITLE>The Browser Plugin and Safe-Tcl: The Tcl/Tk Plugin</TITLE><BODY BGCOLOR="#FFF0E0" VLINK="#0FBD0F" TEXT="#101000" LINK="#0F0FDD">
<A NAME="top"><H1>The Tcl/Tk Plugin</H1></A>


<P>  The Tcl/Tk plugin is commonly known in the Tcl community as the Netscape
plugin but it runs with some other browsers as well. This chapter is based
on version 2.0 which was recently released at the time of writing.  Over the past
couple of years, the plugin has undergone rapid development and change.  Earlier
versions (including the alpha release of version 2.0) are very different than
what is described here.  Look for the most recent version of the plugin from


<A HREF="javascript:if(confirm('http://sunscript.sun.com/plugin  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://sunscript.sun.com/plugin'" tppabs="http://sunscript.sun.com/plugin">Sun</A> or 

<A HREF="javascript:if(confirm('http://www.scriptics.com/  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.scriptics.com/'" tppabs="http://www.scriptics.com/">Scriptics.</A>

<P>  The plugin provides a Tcl/Tk interpreter to execute tclets.  After the 
plugin is  installed, it will be loaded whenever your Web browser
recognizes that it has downloaded a tclet.  The easiest way to ensure such
recognition is to give the extension <TT>.tcl</TT> to the tclet.  Although most
tclets expect to run in Tk, the <TT>.tcl</TT> extension is commonly used.  As a
tclet executes, Tk's root window appears as an entire Web page or as part of
another Web page.  When a tclet places a widget in the slave's root window,
that widget appears in the browser.  When the user backs out of this Web page
or links to another Web page, the plugin terminates.  Each time the user
reviews the page, the plugin restarts.

<P>  A tclet's root window will fill a Web page when it is downloaded as a Web
page, for example, if another Web page links to it with the <TT>&#60;A&#62;</TT> tag.  A tclet's
root window will be part of a Web page if an <TT>&#60;EMBED&#62;</TT> tag in the
containing page refers to it.  In this case, the root window will have the
dimensions given with the <TT>WIDTH</TT> and <TT>HEIGHT</TT> attributes of the
<TT>&#60;EMBED&#62;</TT> tag.  (See above in 
<A HREF="NotHere.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/NotHere.html">A Brief HTML Introduction</A> for a description of the
<TT>&#60;EMBED&#62;</TT> tag.)

<P> <STRONG>Remark</STRONG> <DL><DD> If your tclet's file does not have the appropriate
extension, you need to use the <TT>&#60;EMBED&#62;</TT> tag and you need to add
this attribute:
<PRE>
TYPE="application/x-tcl"
</PRE>
</DL>

<P>  Figure 21.1a shows an example display which will result if you fetch


<A HREF="javascript:if(confirm('http://www.mapfree.com/sbf/tcl/book/canvas.tcl  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.mapfree.com/sbf/tcl/book/canvas.tcl'" tppabs="http://www.mapfree.com/sbf/tcl/book/canvas.tcl">a URL</A>

from this book's Web site with a Netscape browser.  This example is similar to
the one developed above in Chapter 19, "Canvases."  As you drag the dots
the line or polygon changes shape.  The "Make Smooth" button is used to
change the figure from a line or polygon to a similar Bezier curve which is
"pulled" in the direction of the dots rather than going through the
dots.

<P><CENTER><TABLE BORDER>
<CAPTION><ADDR>Figure 21.1a:  Geometric forms from a tclet.</ADDR></CAPTION>
<TR ALIGN=center><TD><IMG SRC="F21x1a.JPG" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Figs/F21x1a.JPG">
</TD></TR>
</TABLE></CENTER><P>

<P>  The plugin was designed to help you manage risks to your privacy or the
integrity of your file system.  It permits a tclet like the one that generated
Figure 21.1a to run without noticeable constraint because such tclets do not
open any files, create any TCP/IP channels, or take any other action that
could either access your file system or communicate with another computer.
Even so innocuous a form of communication as sending email is prohibited.  One
reason is that a tclet could use email in a way that damages the reputation of
the person whose name appears as the sender.

<P>  The plugin was not designed to manage all risks.  Risks that are not so well
managed involve the possibility that a tclet may try to deny you the use of
your computer by keeping the processor busy or by using up your disk space.
The main denial of service threat which the plugin tries to control is overuse
of your disk space.  However, the plugin controls some other things as well.
For example, it denies a tclet access to a Tk command that is capable of
grabbing control over all mouse input.

<P>  The plugin is managed with a master script that runs in an almost normal
interpreter.  The few abnormalities in this master interpreter have to do with
the fact that it runs in an environment initiated by your Web browser.  The
master script creates a new slave interpreter to execute each downloaded
tclet.  This slave interpreter is called a <CITE><NAME=#G21.1safebase>Safe Base</A></CITE> interpreter
and it is not at all normal &#150; it is born without dangerous powers.

<P>  To make up for the Safe Base interpreter's limitations, the plugin master
script gives it a <TT>policy</TT> command which a tclet can use to request an
upgraded interpreter whose additional powers are consistent with some security
policy.  A tclet may be authorized for more than one security policy but it
cannot run under more than one policy during one execution.
<P> 
<P> Security policies are described in configuration files.  In the default
installation you will find these files in a directory named <TT>config</TT> that
is a sibling of the directory containing the executables.  A policy's
configuration file determines which command set will be available to the tclet
in the upgraded interpreter.

<P> <STRONG>Remark</STRONG> <DL><DD> The concept of "command" in a slave interpreter
is a little different than has been used so far in this book.  See below
in 
<A HREF="21.4.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.4.html">Customizing Slave Interpreters</A>.
<P> </DL>

<P> Here is a list of the security policies whose configuration files are
shipped with version 2.0.

<P><DL>
<P> <DT><PRE><CITE><NAME=#G21.1homepolicy>home policy</A></CITE></PRE><DD> Gives the tclet the power to fetch other
files from the same computer and directory that supplied the tclet.  Files
from subdirectories can also be fetched.  This policy is pretty safe and, as
shipped, the plugin lets any tclet run under it.
<P> <DT><PRE><CITE><NAME=#G21.1nsdplcy>inside policy</A></CITE></PRE><DD> This is meant to give a tclet the power
to make TCP/IP connections within your local network.  The policy needs more
configuration before it can be used. See below in 
<A HREF="21.2.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.2.html">Combining Features into Policies</A>.
<P> <DT><PRE><CITE><NAME=#G21.1jvscrptplcy>javascript policy</A></CITE></PRE><DD> Gives the tclet the powers used by a
Web browser.  These powers include the abilities to access your file system,
to connect to an arbitrary resource using sockets, to run a Java script, and to
send email.  Do not let untrusted tclets use this policy.
<P> <DT><PRE><CITE><NAME=#G21.1tsdplcy>outside policy</A></CITE></PRE><DD> This is meant to give a tclet the power
to make TCP/IP connections outside your local network.  The policy needs more
configuration before it can be used. See below in 
<A HREF="21.2.html" tppabs="http://www.mapfree.com/sbf/tcl/book/select/Html/21.2.html">Combining Features into Policies</A>.
<P> <DT><PRE><CITE><NAME=#G21.1trstdplcy>trusted policy</A></CITE></PRE><DD> Lets the tclet run in an ordinary Tcl/Tk
interpreter.  Since this involves permitting the full power of Tcl/Tk, you
should be very careful about which tclets you permit to run under this policy.
As currently shipped, the plugin permits no tclets to use this policy.
</DL></P>

<P>  These policies have three things in common: 

<OL>
<P> <P><LI> the general organization of their configuration files,
<P> <P><LI> the method by which a tclet is authorized to use them, and
<P> <P><LI> the mechanism by which  they can provide persistent storage 
for tclets.  </OL>

<P>  This section continues with three subsections, one devoted to each of these
commonalities.

<A NAME="thfrmfcnfgrtnfl">
<H3>The Form of a Configuration File</H3></A>


<P>  The configuration file for a policy named <CITE>NAME</CITE> is itself named
<CITE>NAME</CITE><TT>.cfg</TT> and it consists of

<UL> 
<P> <P><LI> Comments, that is, lines that begin with <TT>#</TT>
<P> <P><LI>  Section headers, that is, lines that begin with <TT>section</TT>
<P> <P><LI>  Enabling lines, that is, lines
that begin with <TT>allow</TT> or <TT>disallow</TT>
<P> <P><LI> Parameter setting lines, that is, lines that begin with <TT>constant</TT>
</UL>

Enabling lines and parameter setting lines belong to (or are governed by) the
section most recently named with a section header.  Besides a configuration
file for each policy, there is an overall configuration file, <TT>plugin.cfg</TT>,
of the same format.  The main purpose of <TT>plugin.cfg</TT> is to determine which
policies are available and which tclets may use them.  All configuration file
lines have the form of Tcl command lines and it is possible under some
circumstances to include more general Tcl commands.

<P>  The major function of most sections is to provide a method of declaring
which resources may be used.  Resources may be such things as security
policies, URLs, host/port pairs, and so forth.  This function of a section 
is supported by the enabling lines which belong to it.

<P>  Some examples of enabling lines are:

<P><DL>
<DT><PRE>allow home</PRE><DD>
Used in <TT>plugin.cfg</TT> to enable the home security policy for all tclets.
<DT><PRE>allow $originHomeDirURL*</PRE><DD>
Used in <TT>home.cfg</TT> to enable access to URLs from the same source as the 
tclet.
<DT><PRE>allow javascript ifallowed trustedJavascriptURLs $originURL</PRE><DD>
Used in <TT>plugin.cfg</TT> to enable the javascript security policy for some tclets.
<DT><PRE>disallow trusted</PRE><DD>
Used in <TT>plugin.cfg</TT> to disable the trusted security policy.
<DT><PRE>allow * *</PRE><DD>
Used in <TT>javascript.cfg</TT> to enable TCP/IP connections to any host and port.
</DL></P>

These examples are incomplete because they are taken out of context.  As
explained in some detail below, the resource that is being allowed or
disallowed depends on the configuration file and the section
within that configuration file.

<P> The use of <TT>ifallowed</TT> is described in the next subsection.  This
subsection finishes with a description of the <TT>section</TT> command which is
always followed by some arguments.  Arguments such as <TT>policies</TT>,
<TT>hosts</TT>, and <TT>ports</TT> are in one sense just names for strings which will
be tested for acceptability as the configuration file is processed.  In
another sense, they tell the plugin's master script which section is being
described and so they are not arbitrary names.  

<P>  For example, <TT>section policies</TT> declares a section used to describe which
policies are acceptable and <TT>section hosts ports</TT> declares a section used
to describe which hosts and ports are acceptable network connections.

<P>  When a section is being used to test whether some resource may be used, the
test is merely one of whether a string naming the resource fits a pattern.
For example, after <TT>section urls</TT>, the test will be whether a URL fits a
pattern.  Pattern matching is done glob style. If the string matches the
pattern in one of the <TT>allow</TT> statements in a section but does not match
the pattern in any <TT>disallow</TT> statement, then the resource may be used.

<P> <STRONG>Remark</STRONG> <DL><DD> Notice that a result of this rule is that <TT>disallow
*</TT> will override any <TT>allow</TT> statement in a section.
<P> </DL>

<P>  After a section statement with multiple arguments, each argument names a
separate string which must be matched.  For example after <TT>section hosts
ports</TT>, enabling statements must present two patterns.  The first will be used
to match a host computer and the second will be used to match a port on that
computer.  Each pattern must match for an enabling statement to score a match.

<P>  All lines in a configuration file undergo Tcl-style substitutions.  This is
the basis for patterns such as <TT>$originURL*</TT> and <TT>$originHomeDirURL*</TT>.
In these cases a variable made available by the plugin master script is
substituted: <TT>originURL</TT> contains a canonical version of the URL used to
fetch the current tclet and <TT>originHomeDirURL</TT> contains that part
<TT>originURL</TT> up to its file name.  A "canonical" version of a URL is a
complete URL with occurences of <TT>../</TT> removed from it.

<P>  A description of the available variables can be found in the on-line
documentation for "plugin."  

<P><A NAME="21.1a">
<STRONG>Exercise 21.1a</STRONG> </A><DL><DD>
 Here is a way to see what the contents of <TT>$originURL</TT> and
<TT>$originHomeDirURL</TT> are.  It involves executing a tclet that provides you
with a command and root window the way a Tk interpreter does when used
interactively.  Even if you do not know much Tcl/Tk, you can do this
exercise.  If you do know some Tcl/Tk, the tclets mentioned here will
be even more useful to you.

<P>  Here are two tclets that provide you with command and root windows.

<OL>
<P> <P><LI> The tclet <TT>console.tcl</TT> in your <TT>plugin</TT> directory.  This
directory is a peer of <TT>config</TT>.  (Another peer is <TT>tk8.0</TT> which also
has a file <TT>console.tcl</TT>.  This one is <CITE>not</CITE> a tclet.)

<P> <P><LI> The tclet

<TT>
<A HREF="javascript:if(confirm('http://www.mapfree.com/sbf/tcl/book/safeTk.tcl  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://www.mapfree.com/sbf/tcl/book/safeTk.tcl'" tppabs="http://www.mapfree.com/sbf/tcl/book/safeTk.tcl">safeTk.tcl</A></TT>

from this book's home Web directory.
</OL>

<P> Load one of these tclets into your plugin-enabled browser.  If you cannot find
the root window, that is OK, you do not need it now.  In the command window,
execute

<PRE>
getattr <CITE>VARIABLE_NAME</CITE> 
</PRE>