Re: [dev] Interesting Web Browser Decoupling Concept

From: Hiltjo Posthuma <hiltjo_AT_codemadness.org>
Date: Sun, 11 Jun 2017 14:19:08 +0200

On Sat, Jun 10, 2017 at 01:30:12PM -0700, Louis Santillan wrote:
> https://youtu.be/1uflg7LDmzI?t=5m35s
>
> James Mickens calls it Project Atlantis.

I could not find any Project Atlantis code, do you know where to find it?

> Make the web/content developers responsible for their own rendering
> and content parsing.

No, this is exactly what you don't want. Current accessibility is already
terrible. I'd like it if HTML goes back to a document-based model like it was
created instead of a "pixel-precise" rendering model. The W3C should be more
strict when defining these standards instead of adding random battery-reading
APIs[0]! Currently using well-formed simple HTML or (the "old") Gopher it is
possible to display (or listen!) to the document in any way.

In relation to HTML: I think ideally Javascript and other custom client-side
execution should be completely removed, but some semantic-context should
be added to the current HTML.

There are some useful things where Javascript is (ab)used right now, because
alternatives are missing or inconsistent:

- Implementations of more native missing/inconsistent control types: datepicker,
  colorpicker, etc.
- Client-side form validation to indicate the user: should be native in HTML.
  (similar to <input pattern="" />).
- Sending form data in a "dynamic" way (using XMLHttpRequest).
- etc...

These can probably just be extended as tags and attributes.

I'd also like if more concern is taking to privacy and browser fingerprinting.
Sidenote: this is what happens when you let advertising agencies
(Google, Facebook) join the W3C.
The current model leaks too much data to untrusted parties and allows already too
much control:

- OS / kernel version, browser and browser version, CPU architecture.
- Screen resolution (by abusing CSS media selectors or JS readout).
- Client timestamp (header field) in GZIP compressed data.
- Document caching information.
- JS: exact geographic location.
- JS: reading your PC battery status[0].
- JS: CPU: read amount of cores, etc. [1]
- JS: CPU timing data, see JS hammer attack for a spooky example[2].
- JS: WebGL GPU fingerprinting / GPU kernel exploits.
- JS: WebGL bitcoin mining by abusing compute shaders \o/ [3].
- ... the list goes on ....

W3C is also already "succumbing" (see editors list) to adding DRM[4] to your
browser, wake up sheeple!

> Narrow & simplify the scope of what a browser needs to be (shouldn't
> duplicate all the functions of an OS). His Deny First Same Origin
> Policy is also a worthy change to current standards. This coupled
> with some of the concepts from Seif [0] (though not the current code
> base, I disagree with the choice of nodejs & Qt), could make web
> browsing . . . better, safer, more performant.
>
> Interesting things to consider with some of the suckless ethos.
>
> [0] https://youtu.be/0w6tZEbrHIY
>

Adding abstractions is not the solution in my opinion.

It doesn't seem to simplify the scope. The rendering part is "just" given
as responsibility to the developers and a RPC layer is added, but at this
point you are already screwed in various ways.

Also many of the (current) layers he discusses in the video are still partially
implemented or in draft, but in use today: IndexDB, HTML5 storage,
CSS3 / CSS animations, Websockets, WebRTC. These layers should not be used
anyway in a document-based model. It's impossible to change webdevelopers
mind-set, but it is currently possible to write simple webpages most of
the time.

Coming back to the real practical world: until then I try to keep my (personal)
HTML pages simple[5] and use as little Javascript as possible (no jQuery!).


References:
[0] - https://www.w3.org/TR/battery-status/
      "4. Security and privacy considerations"
      "The user agent SHOULD not expose high precision readouts of battery status information as that can introduce a new fingerprinting vector."
      Are you FUCKING kidding me. ANY readout is a fingerprint vector.
[1] - https://developer.mozilla.org/en-US/docs/Web/API/NavigatorConcurrentHardware/hardwareConcurrency
[2] - https://motherboard.vice.com/en_us/article/rowhammerjs-is-the-most-ingenious-hack-ive-ever-seen
[3] - https://github.com/derjanb/hamiyoca
[4] - https://www.w3.org/TR/2017/PR-encrypted-media-20170316/
      "Editors:
      David Dorwin, >>Google Inc.<<
      Jerry Smith, >>Microsoft Corporation<<
      Mark Watson, >>Netflix Inc.<<
      Adrian Bateman, >>Microsoft Corporation<< (Until May 2014)"
[5] - http://idlewords.com/talks/website_obesity.htm

-- 
Kind regards,
Hiltjo
Received on Sun Jun 11 2017 - 14:19:08 CEST

This archive was generated by hypermail 2.3.0 : Sun Jun 11 2017 - 14:24:14 CEST