A Tcl/Tk Netscape Plugin, by Jacob Levy
Abstract: I have built a plugin module for Tk, for Netscape Navigator. This module delivers Tk applications as elements of Web pages and it makes it possible to create web based applications that have a richer GUI than HTML.Tcl also makes building such applications easier due to its high level scripting nature, and Safe Tcl helps construct web applications that can safely perform interesting tasks such as communicating with local or remote resources. The demonstration will show how the plugin module works and some of its capabilities and limitations.
I believe that Tcl and Tk  are useful for scripting the Internet. Tcl provides an expressive set of features that are portably implemented on a wide variety of platforms. Tcl has recently been enhanced with network communication capabilities, significantly easing the task of creating network aware applications. Tk is a mature and portable GUI kit built on top of Tcl that is available for all of today's popular desktop systems.
To make Tcl a ubiquitous scripting language for the Internet, a delivery vehicle for Tcl applications over the network is needed. Netscape Navigator , with its ability to host plugin modules , offers such a delivery mechanism. A plugin module is an extension, supplied by a third party, to allow a browser to display information for which the browser does not have built in support. A plugin module displays its data in a window given to it by the browser. The plugin module can interact with the user through this window.
Plugin modules are not complete programs; they are activated inside the browser's address space and windowing hierarchy. While there is no standard in this area yet, generally the browser limits interaction between a plugin module and other displayed elements of a page. Plugin modules are written in C/C++ and have full access to the hosting system.
Embedding Tk programs in Web pages provides unique advantages:
Two goals were paramount in designing the Tk plugin module:
- Tk allows the construction of much richer and reactive GUIs than possible with HTML . For example, in HTML there is no way to display structured graphics, as is possible with Tk's canvas widget.
- Tcl, as a high level scripting language, facilitates the development of interactive web based applications. It is much easier to write a Tk program to perform a web based function than it is to write a complete plugin that delivers the same functionality.
- Safe Tcl  provides a solid base for flexible security policies that allow applications to perform functions that would otherwise be impossible in untrusted scripts. For example, Safe Tcl can provide security policies that allow varying degrees of access to local and remote resources. The Tcl plugin can make use of Navigator's authentication facilities, when Navigator will be extended with the required APIs.
- Tcl, due to its late binding, allows incremental delivery of applications over the Web. An application can be partitioned into small chunks of functionality that are loaded on demand, as the user requests access to each part. Additionally, Netscape Navigator's cache policy can be configured to ensure that the user always sees the latest version; this eliminates the need to maintain several versions of an application.
The paper describes the implementation issues I faced when constructing the plugin module. It then describes some possible uses of the Tk plugin module, and discusses what the plugin can and cannot do. I then describe the current status of the development of the plugin, and briefly hint at possible future projects.
To implement the Tk plugin module, I encountered three main issues:
Netscape Navigator provides a native window in which an instance of a plugin can display itself. The window belongs to Netscape and can be modified at will by Navigator. Navigator provides notifications to the plugin to inform it of important events that affect the window such as resizing and destruction of the window. However, Tk expects that all windows that it uses to display content are created by it and are completely owned by it. Tk also believes that ``.'', the application's main window, is really a toplevel window and not the child of some other window; Tk wants to set the size and position of toplevel windows and interact directly with a window manager. To address this, Tk has been enhanced so that it is able to create a main window that is a child of another window. This also provides Tk with the illusion that it is interacting with a window manager to manage the position and size of its main window.
A related issue is event handling. Tcl has its own event loop that provides file and timer based events, in addition to UI events. Because I do not have access to the event loop in Navigator, I decided to provide a separate event loop for the plugin module, using the most appropriate mechanism for each platform. This also avoids extensive modifications to Tk. In Win32  and Solaris 2.x, I use a timer that causes the Tcl event loop to be entered periodically. This allows the plugin module to react to events in a timely fashion without interacting with Navigator's event loop. I considered running Tk inside its own process and communicating with Navigator using sockets; however it is difficult to manage a window belonging to one process inside another, and the plugin would not have the same level of access to Navigator's API as is possible when it executes within the same address space.
Incoming scripts are not trusted and should be executed in an environment that prevents them from damaging the host system by e.g deleting files or stealing private information. Safe Tcl provides an environment in which an untrusted script cannot do such damage. Each script is executed inside its own interpreter which is made safe by removing ``dangerous'' commands. Safe Tcl also provides a mechanism for implementing security policies that allow untrusted scripts to safely perform many interesting tasks: interpreters are arranged in a master slave hierarchy; a slave interpreter can be extended by its master with safe access to unsafe functionality in the master. For example, a policy can enforce that a script has read only access to local files but cannot communicate with off-site processes.
Tk prevents a script from damaging the host site or stealing its private information; however, currently it allows scripts to mount denial of service attacks, e.g. by globally grabbing the mouse and never releasing the grab. A subset of Tk that prevents such attacks should defined and be made available in safe interpreters. This is an area for further research.
Uses for a Tk Plugin Module.
Three main uses are envisioned for the Tk plugin module:
Limitations of the Plugin.
Status and Future Plans.
I intend to release the plugin for Windows NT, Windows 95 and Solaris 2.x at the workshop, for experimentation by the Tcl community. A MacOS version of the plugin will be distributed later. The plugin is in active development at the time of writing and its capabilities are improving rapidly. It is currently able to display Tk applets inside windows embedded in Navigator's window hierarchy, and it is able to load scripts from remote or local URLs.
ActiveX [9, 10] is being promoted by Microsoft as an alternative to plugins. I have created a version of the plugin packaged as an OLE control (OCX) , and I will also release this package at the workshop. My intent is to continue developing the OCX to make it usable as a component in the upcoming Windows 95 desktop which will be an OCX container.
Plugin modules are currently not usable in a variety of browsers, because there is no standard for the interface between the browser and the plugin module. I expect that increasing interest in plugin modules will spur standardization efforts in this area, perhaps under the auspices of the W3 consortium. Therefore I will target my efforts to provide a Tk plugin module at those plugin enabled browsers that capture a significant market share. I expect that more browsers will shortly support plugin modules. Microsoft Internet Explorer  , Spyglass Mosaic  and Oracle's PowerBrowser  also support plugins; Oracle PowerBrowser uses Netscape's plugin API.
I am planning to add the following functionality to the plugin, to enable it to host more powerful applets:
Early versions of the plugin module were developed by Jeff Hobbs. Colin Stevens provided Win32 expertise and helped develop the plugin module on Windows NT and Windows 95. John Ousterhout made the enhancements to Tk that allow it to be embedded in other window hierarchies.
- ``Tcl and the Tk Toolkit'', John K. Ousterhout,
- Netscape Navigator 3.0.
- Netscape Navigator plugin SDK.
- The W3 Consortium Web Site.
- ``A Safe Tcl Toolkit For Electronic Meeting Places'', Jacob Levy, in Proc. 1st USENIX Workshop on Electronic Commerce, pp. 133-137, NY, NY (1995).
- ``Win32 Programmer's Reference, Vol. 1-5'', Microsoft Press, (1994).
- The JavasScript language.
- The Java language.
- The ActiveX SDK.
- ``Inside OLE'' Kraig Brockschmidt,
Microsoft Press (1995).
- ``OLE Controls Inside Out'', Adam Denning, Microsoft Press (1995).
- Microsoft Internet
- SpyGlass Mosaic.
Last Modified: 10:45am PDT, May 24, 1996