Re: [dev] Interesting Web Browser Decoupling Concept

From: hiro <23hiro_AT_gmail.com>
Date: Mon, 12 Jun 2017 00:29:26 +0200

no

On 6/11/17, Alba Pompeo <albapompeo_AT_gmail.com> wrote:
> W3C is not the only organization working on standardization.
> Any opinion on WHATWG? Is it a little better?
>
>
>
>
> On Sun, Jun 11, 2017 at 9:19 AM, Hiltjo Posthuma <hiltjo_AT_codemadness.org>
> wrote:
>> On Sat, Jun 10, 2017 at 01:30:12PM -0700, Louis Santillan wrote:
>>> https://youtu.be/1uflg7LDmzI?t=5m35s
>>>
>>> James Mickens calls it Project Atlantis.
>>
>> I could not find any Project Atlantis code, do you know where to find it?
>>
>>> Make the web/content developers responsible for their own rendering
>>> and content parsing.
>>
>> No, this is exactly what you don't want. Current accessibility is already
>> terrible. I'd like it if HTML goes back to a document-based model like it
>> was
>> created instead of a "pixel-precise" rendering model. The W3C should be
>> more
>> strict when defining these standards instead of adding random
>> battery-reading
>> APIs[0]! Currently using well-formed simple HTML or (the "old") Gopher it
>> is
>> possible to display (or listen!) to the document in any way.
>>
>> In relation to HTML: I think ideally Javascript and other custom
>> client-side
>> execution should be completely removed, but some semantic-context should
>> be added to the current HTML.
>>
>> There are some useful things where Javascript is (ab)used right now,
>> because
>> alternatives are missing or inconsistent:
>>
>> - Implementations of more native missing/inconsistent control types:
>> datepicker,
>> colorpicker, etc.
>> - Client-side form validation to indicate the user: should be native in
>> HTML.
>> (similar to <input pattern="" />).
>> - Sending form data in a "dynamic" way (using XMLHttpRequest).
>> - etc...
>>
>> These can probably just be extended as tags and attributes.
>>
>> I'd also like if more concern is taking to privacy and browser
>> fingerprinting.
>> Sidenote: this is what happens when you let advertising agencies
>> (Google, Facebook) join the W3C.
>> The current model leaks too much data to untrusted parties and allows
>> already too
>> much control:
>>
>> - OS / kernel version, browser and browser version, CPU architecture.
>> - Screen resolution (by abusing CSS media selectors or JS readout).
>> - Client timestamp (header field) in GZIP compressed data.
>> - Document caching information.
>> - JS: exact geographic location.
>> - JS: reading your PC battery status[0].
>> - JS: CPU: read amount of cores, etc. [1]
>> - JS: CPU timing data, see JS hammer attack for a spooky example[2].
>> - JS: WebGL GPU fingerprinting / GPU kernel exploits.
>> - JS: WebGL bitcoin mining by abusing compute shaders \o/ [3].
>> - ... the list goes on ....
>>
>> W3C is also already "succumbing" (see editors list) to adding DRM[4] to
>> your
>> browser, wake up sheeple!
>>
>>> Narrow & simplify the scope of what a browser needs to be (shouldn't
>>> duplicate all the functions of an OS). His Deny First Same Origin
>>> Policy is also a worthy change to current standards. This coupled
>>> with some of the concepts from Seif [0] (though not the current code
>>> base, I disagree with the choice of nodejs & Qt), could make web
>>> browsing . . . better, safer, more performant.
>>>
>>> Interesting things to consider with some of the suckless ethos.
>>>
>>> [0] https://youtu.be/0w6tZEbrHIY
>>>
>>
>> Adding abstractions is not the solution in my opinion.
>>
>> It doesn't seem to simplify the scope. The rendering part is "just" given
>> as responsibility to the developers and a RPC layer is added, but at this
>> point you are already screwed in various ways.
>>
>> Also many of the (current) layers he discusses in the video are still
>> partially
>> implemented or in draft, but in use today: IndexDB, HTML5 storage,
>> CSS3 / CSS animations, Websockets, WebRTC. These layers should not be
>> used
>> anyway in a document-based model. It's impossible to change webdevelopers
>> mind-set, but it is currently possible to write simple webpages most of
>> the time.
>>
>> Coming back to the real practical world: until then I try to keep my
>> (personal)
>> HTML pages simple[5] and use as little Javascript as possible (no
>> jQuery!).
>>
>>
>> References:
>> [0] - https://www.w3.org/TR/battery-status/
>> "4. Security and privacy considerations"
>> "The user agent SHOULD not expose high precision readouts of battery
>> status information as that can introduce a new fingerprinting vector."
>> Are you FUCKING kidding me. ANY readout is a fingerprint vector.
>> [1] -
>> https://developer.mozilla.org/en-US/docs/Web/API/NavigatorConcurrentHardware/hardwareConcurrency
>> [2] -
>> https://motherboard.vice.com/en_us/article/rowhammerjs-is-the-most-ingenious-hack-ive-ever-seen
>> [3] - https://github.com/derjanb/hamiyoca
>> [4] - https://www.w3.org/TR/2017/PR-encrypted-media-20170316/
>> "Editors:
>> David Dorwin, >>Google Inc.<<
>> Jerry Smith, >>Microsoft Corporation<<
>> Mark Watson, >>Netflix Inc.<<
>> Adrian Bateman, >>Microsoft Corporation<< (Until May 2014)"
>> [5] - http://idlewords.com/talks/website_obesity.htm
>>
>> --
>> Kind regards,
>> Hiltjo
>>
>
>
Received on Mon Jun 12 2017 - 00:29:26 CEST

This archive was generated by hypermail 2.3.0 : Mon Jun 12 2017 - 00:36:31 CEST