473,323 Members | 1,570 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,323 software developers and data experts.

Python as client-side browser script language

What would it take to create a Firefox extension that enables Python as
a script language in the browser - just like Javascript? Is it at all
possible? Are the hundred good reasons not to bother?

I once made an application that used MozPython[1]. It was fun and very
fast compared to the Mod_Python I eventually replaced it with. I had
to, because of all the mess updating Mozilla caused. ActiveState has a
project too [2]. But none of these can replace Javascript

Grail used Python as scrpt language, I believe. And by the
Win32-wonders of Mr. Hammeond it's possible to use Python in IE. But
what aboit a easy-to-install extension for Firefox? Wouldn't that be
cool?
[1] http://www.thomas-schilz.de/MozPython/README.html
[2] http://www.mozilla.org/catalog/archi...xpcom/pyxpcom/

Jul 19 '05 #1
7 12457
Rune Strand wrote:
What would it take to create a Firefox extension that enables Python as
a script language in the browser - just like Javascript? Is it at all
possible? Are the hundred good reasons not to bother?


There are certainly security issues. A simple implementation
that started a "normal" Python script fetched from a web page
on the shady parts of the web, could certainly create a real
mess. Ouch. Today, there are really no security features in
Python. Those that used to exist were remvoed since they weren't
considered good enough, and giving a false sense of security
wasn't considered a good idea...

Of course, one might suggest that it's the task of the browser,
and not of the scripting language, to provide a safe sandbox
where scripts can mess around and without causing havoc on
your computer. Such a system in the browser could be used to
grant different rights to different parts of the net, regardless
of what kind of scripting language the resources on those parts
of the net use. When Firefox has something like that, it's time
to start marketing Python for client side scripting I think.
Jul 19 '05 #2
Magnus Lycka <ly***@carmen.se> writes:
Of course, one might suggest that it's the task of the browser,
and not of the scripting language, to provide a safe sandbox
where scripts can mess around and without causing havoc on
your computer. Such a system in the browser could be used to
grant different rights to different parts of the net, regardless
of what kind of scripting language the resources on those parts
of the net use. When Firefox has something like that, it's time
to start marketing Python for client side scripting I think.


Huh? The language itself has to provide the sandbox. If the
browser's control over the script language is so fine-grained as to
control every attribute access then the browser and the language are
no longer separate. Remember that scripts have to be able to see
certain DOM elements but not others, and some of them have to be
read-only, etc.
Jul 19 '05 #3
Paul Rubin wrote:
Huh? The language itself has to provide the sandbox.
Remember that scripts have to be able to see
certain DOM elements but not others, and some of them have to be
read-only, etc.


If the DOM objects are implemented as built-in Python
types, there shouldn't be any difficulty with that.
Python objects have complete control over which attributes
can be read or written by Python code.

That, together with restricting what the open() function
can do, ought to provide a pretty good sandbox.

--
Greg Ewing, Computer Science Dept,
University of Canterbury,
Christchurch, New Zealand
http://www.cosc.canterbury.ac.nz/~greg
Jul 19 '05 #4
Greg Ewing <gr**@cosc.canterbury.ac.nz> writes:
If the DOM objects are implemented as built-in Python
types, there shouldn't be any difficulty with that.
Python objects have complete control over which attributes
can be read or written by Python code.


No, they don't. See the sorry history of the rexec/Bastion modules.
Jul 19 '05 #5
Greg Ewing <gr**@cosc.canterbury.ac.nz> wrote in message news:<3g************@individual.net>...

If the DOM objects are implemented as built-in Python
types, there shouldn't be any difficulty with that.
Python objects have complete control over which attributes
can be read or written by Python code.

That, together with restricting what the open() function
can do, ought to provide a pretty good sandbox.


Is that really enough, though? Previous discussions [1] suggested that
the problem was pretty extensive, and the topic has been proposed [2]
for the Summer of Code thing [3], although $4500 may not be a lavish
enough amount if the work requires a complete overhaul of CPython.

But on the subject of Python as a browser *extension* language where
you download extensions from trusted sources and run them from the
browser, PyKDE can be used with Konqueror to explore this area,
although it does require a very recent PyKDE to work fully - see the
kpartplugins on this page for more information:

http://www.boddie.org.uk/david/Proje...KDE/index.html

It would also be great to unify Konqueror and Mozilla in some way by
providing a common API for Python extensions - this could be done by
wrapping Mozilla's DOM, presumably exposed via PyXPCOM [4], in a way
similar to qtxmldom [5], and then making sure the boilerplate
(initialising the extension, getting initial references to browser
documents) is separated out from the actual extension code.

Paul

[1] http://www.amk.ca/python/howto/rexec/rexec.html
[2] http://wiki.python.org/moin/RestrictedExecution
[3] http://code.google.com/summerofcode.html
[4] http://www.mozilla.org/catalog/archi...xpcom/pyxpcom/
[5] http://www.python.org/pypi/qtxmldom
Jul 19 '05 #6
Paul Rubin wrote:
Magnus Lycka <ly***@carmen.se> writes:
Of course, one might suggest that it's the task of the browser,
and not of the scripting language, to provide a safe sandbox
where scripts can mess around and without causing havoc on
your computer. Such a system in the browser could be used to
grant different rights to different parts of the net, regardless
of what kind of scripting language the resources on those parts
of the net use. When Firefox has something like that, it's time
to start marketing Python for client side scripting I think.

Huh? The language itself has to provide the sandbox. If the
browser's control over the script language is so fine-grained as to
control every attribute access then the browser and the language are
no longer separate. Remember that scripts have to be able to see
certain DOM elements but not others, and some of them have to be
read-only, etc.


I'm not sure I agree with you. This is certainly not the way
security is typically handled in computer systems. Operating
systems limits access to OS resources such as files, memory,
I/O etc. Resource managers such as database systems limit
access to data based on some kind of authentication. It's
not up to e.g. the database client to control this. The same
underlying mechanisms work regardless of the programming
language used to code the applicaqtion that wants access to
the resources. There are no particular securty issues in
writing DB apps in Python instead of Java for instance.

Why shouldn't the browser manage resource access for a "foreign"
script running embedded in it? I think it's fairly obvious
concerning pure browser resources such as the DOM. Concerning
pure OS resources such as files, it seems to me that something
like a chrooted environment would be best, and I assume this
must somehow be provided by the OS.

I'm sure it's a non-trivial task to develop such an environment
so that it's practical, efficient and safe, but it would open a
lot of doors if it could be done. It's possible that new scriping
languages must be trimmed a bit to be able to work in such a
confinement, but it would certainly enable the use of alternatives
to Java as powerful client side application languages in web apps.
Jul 19 '05 #7
Sorry to resurrect a slightly older topic, but I want to clarify some
points about how the browser DOM and the script language interact.

Paul Rubin wrote:
Huh? The language itself has to provide the sandbox.
Remember that scripts have to be able to see
certain DOM elements but not others, and some of them have to be
read-only, etc.
Greg Ewing wrote: If the DOM objects are implemented as built-in Python
types, there shouldn't be any difficulty with that.
Python objects have complete control over which attributes
can be read or written by Python code.


In web browsers, Javascript does not provide the sandbox. The browser
provides scripts with certain objects like "document" or "window" but
these are not native script objects at all. They're wrappers for
browser-native objects, usually written in C/C++ and exposed via an
ActiveX or XPCOM interface. (IE uses ActiveX, Mozilla uses XPCOM). The
interfaces to these browser-native objects enforce the security model
by restricting what the scripting language is allowed to do within the
browser context.

If you attempt any foul play with a browser-native object, it can
simply feed an exception back to the script wrapper, and your script
code fails. That's the sandbox.

Following are some relevant links for those interested in further
details:

DOM Intro (especially the section, DOM vs javascript:)
"That is to say, [the script is] *written* in JavaScript, but it *uses*
the DOM to access the web page and its elements."
http://www.mozilla.org/docs/dom/domref/dom_intro.html

"Mozilla's DOM is coded almost entirely in C++. ... When, in
JavaScript, a client tries to access a DOM object or a DOM method on a
DOM object, the JS engine asks XPConnect to search for the relevant C++
method to call."
http://www.mozilla.org/docs/dom/mozilla/hacking.html

"The DOM makes extensive use of XPCOM. In fact, to do anything with the
DOM implementation you need XPCOM."
http://www.mozilla.org/docs/dom/mozilla/xpcomintro.html

Talking to XPCOM in Python
"The techniques for using XPCOM in Python have been borrowed from
JavaScript - thus, the model described here should be quite familiar to
existing JavaScript XPCOM programmers."
http://public.activestate.com/pyxpcom/tutorial.html

So in theory you should be able to create a python script interpreter,
at least for Mozilla. In practice you'd either need to be an expert
with the Mozilla source code, XPCOM, and Python... or you'd find
yourself becoming an expert by necessity.

---

Incidentally when people don't understand the difference between DOM
objects and Javascript objects, they end up with lots of memory leaks:
http://jgwebber.blogspot.com/2005_01...r_archive.html

Jul 19 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Paul Keating | last post by:
I have a very simple COM server written in Python that is trying to return a two-dimensional array 268 x 20. The values it contains are some small integers, some short (<29 character) Unicode...
2
by: Michael Hatmaker | last post by:
I have begun experimenting with web services, and I created some simple web services in C# and was able to install them with IIS and create an equally simple C# client to consume them. My next...
5
by: Peter Maas | last post by:
I just tried to connect to a PostgreSQL8 beta2 database server with pyPgSQL 2.4 and got a libpq.DatabaseError telling "Ivalid format for PgVersion construction". Is there already a PyPgSQL...
0
by: sabz | last post by:
Hi, I want to create a python client, that will receive and post messages to an HTML Webserver. I have found several articles on how to read html data, which i have been able to do. but i cant find...
8
by: Joakim Persson | last post by:
Hello all. I am involved in a project where we have a desire to improve our software testing tools, and I'm in charge of looking for solutions regarding the logging of our software (originating...
2
by: asmirnov1234567890 | last post by:
Hi does anybody knows how to use JINI service from Python? Regards, Andrei
5
by: gel | last post by:
Hi I have written a python client server app that keeps an eye on processes starting and ending on a client and makes decision on what to do based on information from the server end. I want to...
2
by: mohit | last post by:
Hello, I am a .NET developer experimenting with Python. I need to consume a .NET web service in a Python client. how do I go about it? which libraries do i need? pointers to help me get...
3
by: madsornomads | last post by:
Hi all, I have a problem with reading from a Java server after I have written to it - it just hangs. It works fine if I just write to the server and not try to write. I have read the HOWTO on...
0
by: aaahelpme | last post by:
Hi, I have installed python 2.5 and ZSI support for SOAP message. I write a littel client in python that send a request to a server Muse. In the request i have a SOAP header messages NULL. I...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.