Yes, remote arbitrary code execution is already the norm. And if you
ask me, is precisely the reason Web browsers suck as much as they do.
Maybe it could be done well, but you'll have to forgive me, I've been
burned too many times.
Also HTML/CSS is not code that is executed or interpreted, it's a
markup language, a description of a document. Plugins are also not
remote arbitrary code execution, they are local code execution, code
you have control over.
Regarding code bloat, if the past is any indicator, no company gives
two flying fucks about efficiency or clean code. The code with the
most features ultimately wins out.
If you want a battleground for a browser, then by all means make
arbitrary code execution the backbone of it.
On Mon, Jun 12, 2017 at 5:47 AM Louis Santillan <lpsantil_AT_gmail.com> wrote:
>
> You have remote arbitrary code execution now (because of HTML, CSS,
> JS, and plugins) in your current web browsers. However, if the remote
> code was effectively constrained (yes, a difficult problem [0][1][2]),
> there could be hope.
>
> The code bloat of others isn't something you have to worry about.
> They optimize when they need to (or when it affects their bottom
> line). But if you could start off with a better, smaller, faster,
> more secure base, would you want to?
>
> I think, requiring PKI style handshakes (or maybe what Crockford
> suggests [3]) for session oriented communications [4], communicating
> only in human readable markups (like Markdown [5], ASCIIDoc [6],
> Wiki/Creole [7]/Creole+Salt+OpenIconic [8]) without content
> negotiation, and creating smaller API interfaces, there could be
> important improvements there.
>
> [0] https://developers.google.com/caja/
> [1] http://www.adsafe.org/
> [2] http://restrictmode.org/
> [3] http://www.seif.place/seifhandshake.html
> [4] https://github.com/paypal/seif-protocol/blob/master/seif-protocol-specification.pdf
> [5] http://spec.commonmark.org/
> [6] http://asciidoctor.org/docs/what-is-asciidoc/
> [7] http://www.wikicreole.org/wiki/Creole1.0
> [8] http://plantuml.com/salt
>
> On Sun, Jun 11, 2017 at 7:53 PM, Rendov Norra <tsobf242_AT_gmail.com> wrote:
> > I fail to see how remote arbitrary code execution is a feature. Maybe
> > I'm missing something.
> >
> > I suppose in essence it would suck less in that there'd be fewer APIs,
> > but you'll just get the same lazy code and bloat that most software
> > exhibits, but with the ease of visiting a webpage.
> >
> > On 6/10/17, Louis Santillan <lpsantil_AT_gmail.com> wrote:
> >> https://youtu.be/1uflg7LDmzI?t=5m35s
> >>
> >> James Mickens calls it Project Atlantis. Make the web/content
> >> developers responsible for their own rendering and content parsing.
> >> Narrow & simplify the scope of what a browser needs to be (shouldn't
> >> duplicate all the functions of an OS). His Deny First Same Origin
> >> Policy is also a worthy change to current standards. This coupled
> >> with some of the concepts from Seif [0] (though not the current code
> >> base, I disagree with the choice of nodejs & Qt), could make web
> >> browsing . . . better, safer, more performant.
> >>
> >> Interesting things to consider with some of the suckless ethos.
> >>
> >> [0] https://youtu.be/0w6tZEbrHIY
> >>
> >>
> >
>
Received on Mon Jun 12 2017 - 21:26:05 CEST