Re: [dev] Interesting Web Browser Decoupling Concept

From: Alba Pompeo <albapompeo_AT_gmail.com>
Date: Sun, 11 Jun 2017 13:09:40 -0300

W3C is not the only organization working on standardization.
Any opinion on WHATWG? Is it a little better?




On Sun, Jun 11, 2017 at 9:19 AM, Hiltjo Posthuma <hiltjo_AT_codemadness.org> wrote:
> On Sat, Jun 10, 2017 at 01:30:12PM -0700, Louis Santillan wrote:
>> https://youtu.be/1uflg7LDmzI?t=5m35s
>>
>> James Mickens calls it Project Atlantis.
>
> I could not find any Project Atlantis code, do you know where to find it?
>
>> Make the web/content developers responsible for their own rendering
>> and content parsing.
>
> No, this is exactly what you don't want. Current accessibility is already
> terrible. I'd like it if HTML goes back to a document-based model like it was
> created instead of a "pixel-precise" rendering model. The W3C should be more
> strict when defining these standards instead of adding random battery-reading
> APIs[0]! Currently using well-formed simple HTML or (the "old") Gopher it is
> possible to display (or listen!) to the document in any way.
>
> In relation to HTML: I think ideally Javascript and other custom client-side
> execution should be completely removed, but some semantic-context should
> be added to the current HTML.
>
> There are some useful things where Javascript is (ab)used right now, because
> alternatives are missing or inconsistent:
>
> - Implementations of more native missing/inconsistent control types: datepicker,
> colorpicker, etc.
> - Client-side form validation to indicate the user: should be native in HTML.
> (similar to <input pattern="" />).
> - Sending form data in a "dynamic" way (using XMLHttpRequest).
> - etc...
>
> These can probably just be extended as tags and attributes.
>
> I'd also like if more concern is taking to privacy and browser fingerprinting.
> Sidenote: this is what happens when you let advertising agencies
> (Google, Facebook) join the W3C.
> The current model leaks too much data to untrusted parties and allows already too
> much control:
>
> - OS / kernel version, browser and browser version, CPU architecture.
> - Screen resolution (by abusing CSS media selectors or JS readout).
> - Client timestamp (header field) in GZIP compressed data.
> - Document caching information.
> - JS: exact geographic location.
> - JS: reading your PC battery status[0].
> - JS: CPU: read amount of cores, etc. [1]
> - JS: CPU timing data, see JS hammer attack for a spooky example[2].
> - JS: WebGL GPU fingerprinting / GPU kernel exploits.
> - JS: WebGL bitcoin mining by abusing compute shaders \o/ [3].
> - ... the list goes on ....
>
> W3C is also already "succumbing" (see editors list) to adding DRM[4] to your
> browser, wake up sheeple!
>
>> Narrow & simplify the scope of what a browser needs to be (shouldn't
>> duplicate all the functions of an OS). His Deny First Same Origin
>> Policy is also a worthy change to current standards. This coupled
>> with some of the concepts from Seif [0] (though not the current code
>> base, I disagree with the choice of nodejs & Qt), could make web
>> browsing . . . better, safer, more performant.
>>
>> Interesting things to consider with some of the suckless ethos.
>>
>> [0] https://youtu.be/0w6tZEbrHIY
>>
>
> Adding abstractions is not the solution in my opinion.
>
> It doesn't seem to simplify the scope. The rendering part is "just" given
> as responsibility to the developers and a RPC layer is added, but at this
> point you are already screwed in various ways.
>
> Also many of the (current) layers he discusses in the video are still partially
> implemented or in draft, but in use today: IndexDB, HTML5 storage,
> CSS3 / CSS animations, Websockets, WebRTC. These layers should not be used
> anyway in a document-based model. It's impossible to change webdevelopers
> mind-set, but it is currently possible to write simple webpages most of
> the time.
>
> Coming back to the real practical world: until then I try to keep my (personal)
> HTML pages simple[5] and use as little Javascript as possible (no jQuery!).
>
>
> References:
> [0] - https://www.w3.org/TR/battery-status/
> "4. Security and privacy considerations"
> "The user agent SHOULD not expose high precision readouts of battery status information as that can introduce a new fingerprinting vector."
> Are you FUCKING kidding me. ANY readout is a fingerprint vector.
> [1] - https://developer.mozilla.org/en-US/docs/Web/API/NavigatorConcurrentHardware/hardwareConcurrency
> [2] - https://motherboard.vice.com/en_us/article/rowhammerjs-is-the-most-ingenious-hack-ive-ever-seen
> [3] - https://github.com/derjanb/hamiyoca
> [4] - https://www.w3.org/TR/2017/PR-encrypted-media-20170316/
> "Editors:
> David Dorwin, >>Google Inc.<<
> Jerry Smith, >>Microsoft Corporation<<
> Mark Watson, >>Netflix Inc.<<
> Adrian Bateman, >>Microsoft Corporation<< (Until May 2014)"
> [5] - http://idlewords.com/talks/website_obesity.htm
>
> --
> Kind regards,
> Hiltjo
>
Received on Sun Jun 11 2017 - 18:09:40 CEST

This archive was generated by hypermail 2.3.0 : Sun Jun 11 2017 - 18:12:13 CEST