[cap-talk] Reducing the authority of a file browser in a capability OS.

[Kevin Reid]

On Dec 21, 2009, at 21:37, David-Sarah Hopwood wrote:

> Let's extend this in order to associate previewers with particular  
> types. A previewer is a resource-limited pure function that takes as  
> input the contents of a file (as a lazy input stream), its type, and  
> the dimensions of the desired preview, and returns the data of a  
> preview image. This would add the following facets to a  
> BrowserManager:
>
>  putPreviewer(fileType, previewer) :void
>  getPreviewer(fileType) :Previewer
>  preview(browseFile, dimensions) :ImageData
>
> Suppose now that we want the browser to be able to display the  
> preview but not read its image data (so that it obtains no  
> information about the file contents via the preview). Instead of  
> giving the browser the 'preview' facet, we can give it an attenuated  
> version that calls a
>
>  makeDisplayOnlyImage(imageData, dimensions) :DisplayOnlyImage
>
> facet of the window system on the result of 'preview' before passing  
> it to the browser. This would validate the image data and return a  
> sealed DisplayOnlyImage that can only be unsealed and displayed by  
> that window system instance, in a window that does not allow pixel  
> data readback.


Quibbling with your details, not your general presentation: This is  
inferior to existing systems. Mac OS X 'Quick Look' previews are  
interactive (scrolling documents, flipping pages, video, JavaScript)  
and, IIRC, the previewer is confined to do nothing but control its  
window region (no writing to other files etc.) (Or possibly it was  
file indexers that are confined, if not both; I'm not certain.)

But all that is needed to support this is to replace your  
'DisplayOnlyImage' with opaque-widget objects, and have the core  
window system support widgets/subregions/subwindows.

-- 
Kevin Reid                                  <http://switchb.org/kpreid/>