Slashdot Mirror
WebKit For Metacity/Mutter CSS Theming?
An anonymous reader writes "As Metacity (the GNOME window manager) evolves into Mutter, the question of CSS themes and how to implement them has come up. One of the proposals was WebKit, which the author asked more specifically about on his blog. It seems that WebKit, being a very fast rendering engine, would allow Mutter to have unprecedented power, not to mention being nearly future-proofed. As a major bonus, going this way could allow GNOME to share themes with KDE, which is apparently already headed towards a dependency on WebKit. Many people will reflexively recoil at the idea of a browser being mixed with a window manager. But it's important to remember that WebKit is not a browser — it's just a rendering engine, and it's not where all the security issues come from. So, what are the real technical issues at stake here? What are the pros and cons of using WebKit underneath GNOME rendering?"
"Lets see, some person makes a "theme" that exploits a flaw in WebKit"
Could you explain to me why this would be a greater security risk than some person making a "theme" that exploits a flaw in Metacity?
As long as it keeps my desktop active, like some sort of active desktop, then it's all good.
CSS barely functions on the platform for which it was intended, and now you want to bring it to a platform that has well-established, functional, themeable rendering engines already in existence?
CSS was intended to let designers seperate from function from form - how is that lacking in current themeing environments? The linked blog contains a laundry list of features that are in CSS that are not applicable to desktop themes and features that are not in CSS that are necessary for desktop themes. What I don't see is a list of features that CSS brings to desktop themes that are impractical in existing systems.
Let's see: a system that barely works on its intended platform that contains functionality not applicable to the new, suggested platform and is missing functionality necessary on the new, suggested platform. Gee, sounds like the right technology for the job!
But, your window manager doesn't run as root. And themes have to be installed by the end user. This is no less secure that just using a browser.
The overhead could be ridiculous, sure, but this just isn't a security problem.
Browser rendering engines? In my application UI? It's more likely than you think, especially if you use Firefox, or any other application built around a XUL runtime. How many CSS-only exploits you heard of for them?
Wait, how does this make it easier? Metacity's code is open already.
There are going to be a ton more crackers wanting to find ways to exploit Safari and Chrome than there will ever be wanting to find flaws in a WM.
And a ton more hackers working to fix those flaws.
Basically, without WebKit GNOME is just another DE, interesting, but not worth the work to exploit. On the other hand, with a ready-made script, it wouldn't take too long for someone with no skills to exploit it.
So you're basically arguing in favor of security through obscurity, and against code reuse?
Also, I fail to see how it's more dangerous for the average user to have their WM compromised than their browser. It's a lot easier to trick people into visiting a website, just once, than it is to convince them to install your theme.
Don't thank God, thank a doctor!
I have no idea why you're modded insightful. I'm tempted to mod you down, but I'll reply, instead:
I know its fashionable these days to do everything over HTTP and inside a browser but it's just a fad.
Yeah, the Web is "just a fad". OK, I'll get off your lawn.
Oh, and what does HTTP have to do with this? Or a browser? This is just a rendering engine, nor is it the first app to do this -- Firefox itself does its UI in XUL, as does Thunderbird, Songbird, and several other apps.
Everybody knows it sucks from a design / efficiency point of view
Design, you may have a point. I'd be interested to hear it.
Efficiency is actually getting quite good, especially for what this is.
I'm not going to waste my time writing a detailed rant about why you shouldn't use a freaking browser rendering engine to draw your GUI for you because thanks to the openness of Linux I will just be able to load one of 10's of other, infinitely faster window managers.
Good. But if you'd written a longer rant, there might actually be more to discuss.
But let's go back to your original point:
Would it not be better to use a compiled, binary version of CSS for this sort of thing to reduce the overhead.
So... Why would we want to use a "compiled, binary" version of anything we don't have to? Your startup scripts are in Bash. If you're on Ubuntu, a fair amount of your upgrade scripts are in Python.
For efficiency's sake, you say. Ok, but why would you want it stored that way? Web browsers are proof that it really doesn't take that long to parse CSS, HTML, and Javascript. There's no reason the runtime can't store them in some binary/bytecode format, but why would you complicate the on-disk format?
For space? Those things compress well. And again, browsers are proof that compression is fast enough for people to not notice or care.
For boot time? Again, browsers prove that's kind of a non-issue -- most websites I view are massively more complex than some borders around a window. Turn on Flashblock, and tell me you wouldn't love for a computer to boot as fast as a typical website loads.
Now, I understand where you're coming from. I used Fluxbox for a long time. Then I realized that KDE4 loads in about two seconds on my machine, and zero seconds vs two seconds to load a GUI isn't enough of a difference for me to care, considering the functionality I get out of it. (Actually, I realized this with KDE3...)
And as for the functionality, I don't know the first thing about skinning a window manager. I do, however, know how to build HTML and CSS. So, me suddenly knowing how to build themes, easily, I call that a useful feature.
Don't thank God, thank a doctor!
I'm not sure I understand how you start by saying that CSS barely works for the target environment - BILLIONS of web pages are served every day in a (relatively) cross-platform fashion.
Many of these are rather good looking, too.
So I'd have to argue that CSS doesn't work. The areas where CSS is weak consist primarily of CSS specs that have NOT been implemented (*ahem* IE) or implemented in a bone-headed way (*ahem* IE) not in areas of weakness within the CSS spec itself.
Perhaps the most amazing thing about CSS is how trouble-free its implementation has been, and just how smooth the transition actually has been.
Old stuff still basically works, new stuff just basically works better.
But while we're at it, we should also pay homage to KDE, Konqueror, and its many progeny. KDE begat Konqueror. Konqueror begat Webkit, which has begat (among too many other web-like to mention) Chrome/Chromium and Safari. And just about everybody who has worked on or with Webkit has raved about its clean design and crisp implementation.
So, we must give kudos to the excellent KDE team who has produced a product that is just now starting to give Mozilla / IE a run for their money, without all the funding by AOL for all those years.
Good job, KDE team!
I have no problem with your religion until you decide it's reason to deprive others of the truth.