Re: [dev] Interesting Web Browser Decoupling Concept

From: Louis Santillan <lpsantil_AT_gmail.com>
Date: Mon, 12 Jun 2017 02:46:25 -0700

You have remote arbitrary code execution now (because of HTML, CSS,
JS, and plugins) in your current web browsers. However, if the remote
code was effectively constrained (yes, a difficult problem [0][1][2]),
there could be hope.

The code bloat of others isn't something you have to worry about.
They optimize when they need to (or when it affects their bottom
line). But if you could start off with a better, smaller, faster,
more secure base, would you want to?

I think, requiring PKI style handshakes (or maybe what Crockford
suggests [3]) for session oriented communications [4], communicating
only in human readable markups (like Markdown [5], ASCIIDoc [6],
Wiki/Creole [7]/Creole+Salt+OpenIconic [8]) without content
negotiation, and creating smaller API interfaces, there could be
important improvements there.

[0] https://developers.google.com/caja/
[1] http://www.adsafe.org/
[2] http://restrictmode.org/
[3] http://www.seif.place/seifhandshake.html
[4] https://github.com/paypal/seif-protocol/blob/master/seif-protocol-specification.pdf
[5] http://spec.commonmark.org/
[6] http://asciidoctor.org/docs/what-is-asciidoc/
[7] http://www.wikicreole.org/wiki/Creole1.0
[8] http://plantuml.com/salt

On Sun, Jun 11, 2017 at 7:53 PM, Rendov Norra <tsobf242_AT_gmail.com> wrote:
> I fail to see how remote arbitrary code execution is a feature. Maybe
> I'm missing something.
>
> I suppose in essence it would suck less in that there'd be fewer APIs,
> but you'll just get the same lazy code and bloat that most software
> exhibits, but with the ease of visiting a webpage.
>
> On 6/10/17, Louis Santillan <lpsantil_AT_gmail.com> wrote:
>> https://youtu.be/1uflg7LDmzI?t=5m35s
>>
>> James Mickens calls it Project Atlantis. Make the web/content
>> developers responsible for their own rendering and content parsing.
>> Narrow & simplify the scope of what a browser needs to be (shouldn't
>> duplicate all the functions of an OS). His Deny First Same Origin
>> Policy is also a worthy change to current standards. This coupled
>> with some of the concepts from Seif [0] (though not the current code
>> base, I disagree with the choice of nodejs & Qt), could make web
>> browsing . . . better, safer, more performant.
>>
>> Interesting things to consider with some of the suckless ethos.
>>
>> [0] https://youtu.be/0w6tZEbrHIY
>>
>>
>
Received on Mon Jun 12 2017 - 11:46:25 CEST

This archive was generated by hypermail 2.3.0 : Mon Jun 12 2017 - 11:48:16 CEST