Framing

Framing

Display servers like X provide what's described as 'windowing' – the ability for a client application to host another application within a box on the screen.

I prefer to refer to it as 'framing' for two reasons: first, it avoids confusion with a well-known trademark. Second, Hipe (eventually, when it's done!) implements application frames using <iframes> in the webkit engine.

Actually managing the frames (providing title bars, close buttons, ability to move or resize frames, etc.) are beyond the scope of Hipe. It will be up to whoever puts together a system distribution to develop or distribute an appropriate 'framing manager' to provide this level of interatction.

Lessons from X

In the X Window System, there is little or no security provided. Any application can modify any other application's output just by knowing its window ID number. A window manager in X is a designated application that looks for new windows appearing on the screen and quickly wraps them up with title bars and window controls (usually by reparenting them inside another window) before the user notices.

The security implications of X's approach aren't great. It's part of the reason why web browsers have to be designed to isolate web pages from the rest of the GUI environment, and why web browser plugins are potentially vulnerable to security exploits. The security implications also limit the potential of the platform when it comes to running remote applications in a native way.

Hipe does things a little differently. With Hipe, each application is nominally entitled to one frame for user output. If the application supports multiple documents, it is up to the application developer to provide an interface to allow the user to access multiple documents within that frame.

Rather than just having a single framing manager that manages all applications running in the user's session, every application can potentially act as a framing manager to host applications or content that it is in charge of. The critical point of this nested approach is that no application's frame is allowed to leave the frame of its host.

Host keys

Unlike X, an application can't just connect to a Hipe session, receive a window, and start displaying output. It must first provide a host key. A host key is a unique string which only the framing manager knows. A framing manager shares its host key with applications it is willing to host. The sharing mechanism itself is not specified by Hipe. A framing manager that hosts remote applications may require an entirely different communication protocol to one that deals with local applications.

A host key can only be used once, to host one frame. The next application that wants to connect to a framing manager needs to obtain a new host key from the framing manager.

There are also top-level frames. For example, a top-level framing manager that implements the operating environment of a particular OS distribution. These fill the whole screen and cover up whatever is behind them. Creating a top-level frame requires a key too. By default, the Hipe server stores the key in a file in a predictable location on the user's filesystem, and overwrites the file with a new key whenever a key is claimed. Only applications with appropriate permission to access the key file are able to create top level frames.