Slashdot Mirror

← Back to Stories (view on slashdot.org)

WebKit For Metacity/Mutter CSS Theming?

Posted by kdawson on from the future-proofing dept.

An anonymous reader writes "As Metacity (the GNOME window manager) evolves into Mutter, the question of CSS themes and how to implement them has come up. One of the proposals was WebKit, which the author asked more specifically about on his blog. It seems that WebKit, being a very fast rendering engine, would allow Mutter to have unprecedented power, not to mention being nearly future-proofed. As a major bonus, going this way could allow GNOME to share themes with KDE, which is apparently already headed towards a dependency on WebKit. Many people will reflexively recoil at the idea of a browser being mixed with a window manager. But it's important to remember that WebKit is not a browser — it's just a rendering engine, and it's not where all the security issues come from. So, what are the real technical issues at stake here? What are the pros and cons of using WebKit underneath GNOME rendering?"

10 of 124 comments (clear)

  1. Re:Lets see... by bogaboga · · Score: 3, Insightful

    One of the pros: GNOME gets a "tested" engine to do most of the work required...

    And the con: GNOMErs will squabble about what to drop and in the end, they will create more duplication. Not good...not good at all.

  2. Re:Lets see... by camg188 · · Score: 5, Insightful

    "Lets see, some person makes a "theme" that exploits a flaw in WebKit"
    Could you explain to me why this would be a greater security risk than some person making a "theme" that exploits a flaw in Metacity?

  3. Re:Lets see... by msuarezalvarez · · Score: 2, Insightful

    Unless you were frozen in th 50s, that comment can only be explained as a joke... if there is something of which there is plenty, that's window managers...

  4. Re:Lets see... by Fnord · · Score: 4, Insightful

    But, your window manager doesn't run as root. And themes have to be installed by the end user. This is no less secure that just using a browser.

    The overhead could be ridiculous, sure, but this just isn't a security problem.

  5. Re:Lets see... by ubernostrum · · Score: 4, Insightful

    Browser rendering engines? In my application UI? It's more likely than you think, especially if you use Firefox, or any other application built around a XUL runtime. How many CSS-only exploits you heard of for them?

  6. Re:Lets see... by SanityInAnarchy · · Score: 5, Insightful

    Wait, how does this make it easier? Metacity's code is open already.

    There are going to be a ton more crackers wanting to find ways to exploit Safari and Chrome than there will ever be wanting to find flaws in a WM.

    And a ton more hackers working to fix those flaws.

    Basically, without WebKit GNOME is just another DE, interesting, but not worth the work to exploit. On the other hand, with a ready-made script, it wouldn't take too long for someone with no skills to exploit it.

    So you're basically arguing in favor of security through obscurity, and against code reuse?

    Also, I fail to see how it's more dangerous for the average user to have their WM compromised than their browser. It's a lot easier to trick people into visiting a website, just once, than it is to convince them to install your theme.

    --
    Don't thank God, thank a doctor!
  7. Re:Lets see... by RiotingPacifist · · Score: 3, Insightful

    and a pre-made rootkit to gain access.

    you keep using that phrase, I don't think it means what you think it means.
    1) your WM runs at user level, an exploit would therefore at best gain the ability to run code at user level.
    2) you WM can be locked down pretty tough by apparmore/selinux/etc, so whatever code it can execute is limited to the functions of a WM anyway (no net access, no disk writes, etc)
    3) if your downloading random themes from untrusted users, it's easier to attack you by giving you a widget/screenlet or random script to run.
    4) if there is a security flaw in the webkit rendering engine, surely you can just exploit peoples browsers when they go to download your theme.

    In summary please never talk about security ever again.

    --
    IranAir Flight 655 never forget!
  8. Re:WTF? No more CSS? by moosesocks · · Score: 3, Insightful

    Try using CSS for a while, and you'll see that its creators left out some frankly baffling features, such as the ability to center an element.

    The 3 major implementations (Mozilla, WebKit, and IE) all had major differences in their first versions (with none of them implementing the spec properly!)

    Other features that (dead tree) page designers would find extremely common were left out as well (hyphenation and columns being my biggest personal pet peeves)

    Currently, there's a big push to do applications and graphics using CSS and Javascript, which have resulted in WebKit and Mozilla adopting a set of proprietary CSS attributes that aren't part of the standard.

    Don't get me wrong -- style sheets were an absolute godsend to web development. However, both the standard (and the implementation of that standard) are crap. Metacity would be much better off taking NeXT/Apple route, and using a PDF/PostScript derivative.

    --
    -- If you try to fail and succeed, which have you done? - Uli's moose
  9. Re:Unprecedented? Please. by haruchai · · Score: 2, Insightful

    Active Desktop was part of or released with IE4, probably in mid-97. Too bad it sucked system resources so hard and was so unstable

    --
    Pain is merely failure leaving the body
  10. Re:Power and future-proofing? by Flossymike · · Score: 2, Insightful

    Just a random thought off the top of my head, but would using css potentially help with technologies such as screen readers for the blind? Also, as you could have named areas, does it open up areas which can be set as preferences, for instance deciding that you prefer to have menus always at the top of the screen.

    Just my 1p