Re: Annoucement: Local Browser Execution

George Phillips <phillips@cs.ubc.ca>
Date: 15 Dec 93 11:57 -0800
From: George Phillips <phillips@cs.ubc.ca>
To: www-talk@nxoc01.cern.ch
Message-id: <7069*phillips@cs.ubc.ca>
Subject: Re: Annoucement: Local Browser Execution
Larry Masinter says:
>Why not, instead of searching for "x-exec:", search for
>"http://cs.ubc.ca/exec/".  That is, build *into your client* the
>special case that if you see "http://cs.ucb.ca/exec/blah blah",
>instead of sending http protocol somewhere, you execute "blah blah" as
>a shell command.

If what you're getting at is that it is better to use an HTTP server
than x-exec:, then I agree, but only when you can use a server.
And there are two cases of that.  First, there are lots of people
who can't set up a server (not priviledged enough, no network, etc).
For them, "x-exec:" gives them access to server-only features like
search queries, forms and gateways.  It makes a web browser just
that much better of a tool for their use.

Second, if your x-exec: script has side effects, the equivalent
HTTP server implementation is much harder.  Take the news-reading
with history example.  My x-exec: script writes cache files and
the user's .newsrc.  So the server will have to authenticate the
connection as a particular user and, under UNIX, become that user.
That means it must run as root.  All this can be done, but I
think the security implications are much worse -- now you have
a world-accessible port to which anyone can try to crack security
on.  I just wouldn't put that on to my server with just the "basic"
authentication.

I do agree that having a server which lets me do things like read
news from anywhere in the world I can get a WWW browser and an
internet connection would be wonderful.  The authentication
technology is not quite there yet (but it will be).  At any rate,
it doesn't help my first point -- you still have to have the
ability to set up the server to do it.  In fact, it gets worse
because you have to set up a server that does all the careful
authentication.  You move from a situation where any old user
can get the x-exec: news browser running to something to a
situation where only a high-level server guru can do the
job for you.  Sure the server guru has given you something
much more and that's good, but why go to all that extra work
if you don't particularly care about running the news browser
anywhere but your local site?

And with x-exec:, once the authentication is strong enough
to trust you'll be able to drop your scripts right into your
server since x-exec: uses the CGI.  In the mean time, I'll use my
ugly hack and explore what can be done.