Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Language options for scripting cross-platform RIAs in 1997 (20070729)
I noticed that according to the Internet archive, Sun released the beta of the version 2 of the Tcl/Tk web browser plugin in October 1997. This version of the plugin was cross-platform (Windows, Macintosh, Solaris, SunOS, Linux, IRIX) and cross-browser (Netscape Navigator, Microsoft Internet Explorer and Opera). The latest version of the plugin supports Linux, Solaris and Windows.
Unlike JavaScript, Tcl/Tk could be used to develop standalone and platform-agnostic non-browser applications as well. The "hello world" Tk program
button .b -text "Hello world"
pack .b
<embed src="helloworld.tcl" />
or the command line
% wish helloworld.tcl
Another interesting aspect of the Tcl/Tk plugin is that the security policy was written in Tcl. A trusted interpeter controls what commands are present in a sandbox interpreter:
interp create -safe untrusted
The user's security policy overrides the implementation of dangerous commands (quoting from the Safe-Tcl page), e.g., if the command file extension was allowed but not the command file open:
proc Interp_File {operation args} {
switch -- $operation {
extension -
dirname -
rootname -
tail {
return [file $operation [lindex $args 0]]
}
default {
error "Unsupported file operation: $operation"
}
}
}
interp alias untrusted file {} Interp_File