[dev] Re: [surf] Switching to webkit2 as default

From: Charles Lehner <cel_AT_celehner.com>
Date: Fri, 5 Feb 2016 19:40:55 -0500

On Thu, 4 Feb 2016 19:16:09 +0100
FRIGN <dev_AT_frign.de> wrote:

> > I try not to keep too abreast of things like GTK and WebKit, for the
> > sake of my sanity, but I read this[0] today which was a pretty scary
> > read, really.
>
> I also read this article a while ago.

After reading that article I decided to move more fully to using
surf-webkit2 and port over my local patch set.

> > One thing that is particularly important is that webkitgtk2 is
> > receiving security updates, whereas webkitgtk1 is not, and hasn't
> > for quite a while. I was not aware of this. Web browsing is a
> > dangerous thing, and I didn't realise quite how many known
> > vulnerabilities I have been surfing with, and would like to reduce
> > that number.

I agree. The discussion of security also got me thinking that surf
should probably do something about HTTPS certificate verification.

From the article:

> Old versions of Epiphany and Midori load pages even if certificate
> verification fails; the verification result is only used to change the
> status of a security indicator, basically giving up your session
> cookies to attackers.

I did a quick test visiting some sites with invalid certificates:
surf-webkit1 and surf-webkit2 load them without any notice. So I am
currently vulnerable to MitM attacks when using surf.

> Thing is, to use the only sane backend we would have to port surf
> to GTK3. I am not that deeply involved in surf development, but given
> there are other backends around (the Chrome blink backend for example
> and others) it's not an easy decision to make.

surf is already ported to GTK3 and Webkit2 (webkit2gtk-4.0) in the
surf-webkit2 branch, or in Quentin's fork [1], mentioned in hackers_AT_
[2].

> In my humble opinion, I like the Chrome backend because they cut out
> considerable amounts of Apple legacy stuff, whereas the normal webkit
> a bit more crufted (all webkit versions are bloated).

I also think a CEF backend would be a good idea, at least as an
alternative. I wasn't able to build smurf though (from schachmat's repo
or MehYam's fork). It would be nice if some more distros would package
CEF so we wouldn't have to trust Google or have big hardware.

OpenGL sounds like a good idea too, although I would have suggested to
use libxcb. Some searching turned up this project cefgui [4] which uses
OpenGL with CEF. Perhaps that would be a reference or starting point.

> > I know there's a webkitgtk2 branch of surf. Is there anything
> > missing in it that would prevent it from being the default surf
> > branch? I'll gladly help bring things up to scratch if there is work
> > to do, as surf is a reasonable interface and I dislike it much less
> > than other browsers (except my pandoc / markdown / tkread setup, but
> > that's not very general-purpose, only really fit to read longform
> > articles).
>
> It would make sense to look into this. It always makes sense to be
> on the latest branch to get the latest security updates. Let's see
> what the others have to say.

Christoph, you mentioned having problems with gtk3 in surf a while ago
[3]. Do you have any updates about that?

-- 
Charles
[1] http://git.fifth.space/surf
[2] http://permalink.gmane.org/gmane.comp.misc.suckless.scm/4196
[3] http://permalink.gmane.org/gmane.comp.misc.suckless/17351
[4] https://github.com/andmcgregor/cefgui/commits/master
Received on Sat Feb 06 2016 - 01:40:55 CET

This archive was generated by hypermail 2.3.0 : Sat Feb 06 2016 - 01:48:16 CET