4
The web browser I'm dreaming of
source link: https://dustri.org/b/the-web-browser-im-dreaming-of.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
The web browser I'm dreaming of
Those are the main features I'm expecting from a web browser:
- Written in a memory-safe-ish language that a plebeian like me can understand, review and contribute to, like rust and go or even lua or V, but please no lisp, elisp or haskell.
- Sandboxed to death.
- Ability to block ads because the web is a hot bubbling cesspool.
- a sensible subset of modern https, html5, css3 and http 1.1 (and maybe http2 if you're feeling fancy, because multiplexing requests is neat),
- basic javascript (or even better, typescript) support, with something like a dumb interepreter, also written in a memory-safe-ish language.
- maybe tabs
Now here is a subset of the ones that I don't want, and that the vast majority of websites and their users either don't care about, don't use, or even shouldn't be using in the first place :
- Ridiculous performance hacks:
- WASM: The web used to be readable-ish,
debuggable, observable-ish and introspectable. I don't want to run assembly in my web
browser and lose those properties, for what exactly? Mining bitcoin/monero,
cross compiling programs to make fun demos, and providing a
RWX
segment for every browser exploits.- WASM SIMD: if your website needs to use SIMD with webassembly, you're either doing something non-exclusively terribly wrong, idiotic or useless.
- WebAssembly Managed Objects / GC: "This will allow WebAssembly to implement garbage collected languages efficiently.", because implementing new languages in javascript is a completely mundane task done by the majority of websites.
- WebAssembly BigInt Integration, WebAssembly multi-values, WebAssembly Reference Types, WebAssembly Type Reflection JS API, … can't wait for this to go full-circle and to have WebJavascript!
- Crazy optimizing compilers/JIT contraptions with ungodly hacks: we shouldn't need those to have usable webpages. Firefox, for example, has two-tier interpreter and two-tier JIT. Google Chrome has 3 tier JIT and an interepreter. Previously, it was JIT-only, then 2-tier JIT, then 2-tier JIT plus interpreter, then 3-tier JIT plus interpreter, then singler-tier JIT plus interpreter. I want my javascript to be stupidly interpreted, I don't want speculative type inference, I don't want profile-based optimizations, … I want less code involved with javascript, and I don't care about having near-native performances in this area if it comes as such a high-price complexity-wise.
- DNS prefetching: self-host your resources, instead of delegating them to a steaming pile of untrusted statistics-hoarding CDN kinda obsoleted by http2 anyway.
- Async and defer, instead of not loading gargantuate amounts of javascript.
- Subresource loading with Web Bundles: no.
- Battery-savings meta tag: don't eat my battery in the first place.
- WebCodecs: "support emerging applications, such as latency-sensitive game streaming, client-side effects or transcoding, and polyfillable media container support". Nobody except Google is doing game streaming in a browser, and nobody except youtube wants to have web browsers doing transcoding.
- WASM: The web used to be readable-ish,
debuggable, observable-ish and introspectable. I don't want to run assembly in my web
browser and lose those properties, for what exactly? Mining bitcoin/monero,
cross compiling programs to make fun demos, and providing a
- Things my operating system is already doing, but apparently needs to be
done by my special snowflake of a web browser.
- Fullscreen API
- Multi-Screen Window Placement: I already have a windows manager taking care of my screen estate.
- DNS things:
- DNSSEC, because in the Chrome Security Teams' own words: "DNSSEC and DANE (types 2/3) do not measurably raise the bar for security compared to alternatives, and can be negative for security."
- DNS-over-HTTPS
- Themes: my browser isn't an IDE.
- Handwriting recognition: why.
- In-browser screenshot tools.
- Picture-in-Picture API: "The Picture-in-Picture API allow websites to create a floating video window always on top of other windows so that users may continue consuming media while they interact with other content sites, or applications on their device.", I already have something called a desktop to arrange windows aroud, thanks. Moreover, it seems that the only reason it exists is because youtube doesn't want non-premium users to be able to listen to it without being able to throw ads at their eyeballs.
- A crapton of (often forked) vendored things because screw properly packaged dependencies?
- Still on Debian, Chromium is a lot of fun as well: abseil, python-markdown, afl (yes.), ashmem, boringssl, breakpad, brotli, jinja2, jsoncpp, lcov, libfuzzer, some xmpp stuff, liblouis, libusb, lixbml with patches, …
- Fuck accessibility misfeatures:
- Encrypted Media Extensions, adding proprietary inscrutable blackblox garbage so that some people can watch netflix in their browser. Just give up on DRM already, they're useless at best, harmful at worst.
- Frames: a thing from the past that should be thrown directly into the Sun.
- Clipboard API: not only a privacy concern since website shouldn't be able to read/write into your clipboard, but also a nice opportunity to screw accessibility over by preventing people from copy/pasting content on websites. Sandbox escapes as a bonus.
- Pointer Lock API: "It gives you access to raw mouse movement, locks the target of mouse events to a single element, eliminates limits on how far mouse movement can go in a single direction, and removes the cursor from view. It is ideal for first person 3D games, for example.". Because of course implementing FPS in a web browser is a such a common genuine usecase warranting an implementation of this feature in every single web browser.
- Session history management, because manipulating the user's browsing history is of course a feature and not a horrible malpractice!
- Print events, because adding annotation and watermarks is neat!
- Disabling the spellcheck, what's even the usecase for this?
- Multimedia stuff, because the web is the new demoscene apparently:
- WebGL: My web browser isn't a game console. Microsoft even considered it harmful.
- WebGL 2.0, because you can't deprecate/supersede shit fast enough, and having bleeding edge accelerated 3D graphics rendering in a web browser is an essential capability.
- WebRTC: "real-time communication capabilities", in a web browser. Pepperidge farm remembers when chat apps weren't running in browsers.
- Web MIDI API: to run synthesisers I suppose? Sandbox escapes as a bonus.
- WebVR WebXR Device API, virtual reality, why…
- Canvas API:
"The Canvas API provides a means for drawing graphics via JavaScript and the
HTML
<canvas>
element. Among other things, it can be used for animation, game graphics, data visualization, photo manipulation, and real-time video processing." all essential usecases for the vast majority of websites. Actually, a significant number of websites are using this API for tracking purposes. - WebGPU: I don't want to play games , I want to browse the web. I don't want my browser to have low-level access to my GPU and its stellar quality drivers.
- Media Session API, to customize media notifications.
- Media Session API: Video conferencing actions: completely worth adding an API in a browser for a feature used by maybe less than a dozen websites.
- Gamepad support, because I've always
dreamt of browsing the web with a joystick or a PS1 controler!
Sandbox escape as a bonus.
- Gamepad light indicator API: why.
- GamePad multitouch extension: a badly named API to support wiimotes-like devices.
- Gamepad Button and Axis Events: how many games can you name on top of your head that are using axis events?
- Web Audio API: because without the ability to add effects to audio, mix sources, create audio visualizations and apply spatial effects, how would one reimplement ardour in a browser? On the bright side, processing audio is a straighforward process, and this added complexity will for sure never be a source of critical security issues.
- A builtin PDF viewer: Can we please stop trying to shove every single desktop application in web browsers? It's not as if the PDF specification was a longuer-than-the-Bible trashfire complexity-wise that will invariably lead to catastrophic bugs anyway. Sandbox escape as a bonus.
- Client-side video editing: I don't even.
- Speech Recognition: this should be something globally available on your operating system; Imagine if every program on your computer was implementing this in their own fashion. Sandbox escape as a bonus.
- Security misfeatures:
- Sandboxed iframes: I don't want frames in the first place. Including websites in your website is idiotic, but doing it with data that you don't trust is a whole new level.
- Seamless iframes, because phishing isn't a thing!
- XSS auditor: easily bypassable, with false-positives, introducing cross-site leaks, …
- Portals, because using pictures and links is too much to ask apparently. Stop considering loading pages as something obscene. Sandbox escape as a bonus.
- Web Crypto API: Just use TLS, don't brew your own cryptography with javascript, it's often useless at best, dangerous when not completelic moronic most of the time.
- Do not track: Enabled by default, respected by no one.
- Credential Management API: Just use a password manager already, instead of delegating this to websites themselves.
- Signed HTTP Exchanges (SXG), with AMP as the main usecase, because Same-Origin Policy are too easy to manipulate, so let's add some more nightmarish cryptographically signed insanity on top of it.
- Document Policy, because browsers are supporting so much crap that apparently we now need a declarative policy to inform users what features will be (mis)used to track them.
- SameSite attribute: The "strict" mode should be the default behaviour.
- Public Key Pinning, deprecated in Chrome, it's a bandaid over the CA system in the form of a trigger-happy tripple-barrel footgun doubling as a cool ransomware vector.
- noopener should be the default behaviour.
- Subresource Integrity: it solves some security problems that you shouldnt be having because including resources from untrusted sources in the first place is pure concentrated whole-grain stupidy.
- Third party cookies: drop them by default, into a volcano.
- WebOTP API and its cross-origin iframe support : 2FA via sms-based OTP doesn't prevent phishing, and even if it did, which it doesn't, I don't want my web browser to have access to my text messages!
- Extended validation certificates: useless, expensive and don't improve security.
- COOP/COEP/CORP/CORS/CORB headers: don't let your site be included in others instead.
- Exotic fileformats and protocols support
- FTP support: the 70s called, they wanted their protocol invented before TCP/IP back.
- Gopher support.
- 3GP: "The format was designed for use on 3G mobile phones, but can still be used on more modern phones and networks."
- QuickTime shit
- ADTS/AAC: everyone uses mp3, ogg or flac except Apple and a few game consoles.
- TIFF, because tiff is such a great format, and uncompressed/ghetto-compressed scanned photos are something common on the web.
- BMP: horribly inefficient, nobody uses it anymore, just drop it already.
- WAV: Uncompressed audio, nobody should use it to play sounds on webpages.
- Tracking garbage:
- Trust Token API: cryptocrap-powered tracking.
- Federated Learning of Cohorts: tracking via third-party cookies was awful, so the obvious solution is to get rid of them replace them with an opaque rube-goldberg machinery with pinky-swear promises attached, while this in fact significantly eases fingerprinting and targeted advertisements, leading to "interesting" side effects). It's hilarious that everyone hates it and is turning it off; both big content providers like WordPress, Github pages, Gitlab pages, The Markup, The Guardian, … and web browsers like Vivaldi, Brave, Microsoft Edge, Opera, Firefox, … Lawyers and States are also talking about antitrust/anticompetitive behaviour as well as blalant GDPR violation.
- Idle detection: with exotic usecases, when you can actually vividly hear advertiser thinking how cool this is to check if users are looking at ads or not!
- Conversion Measurement API: fuck no.
- Beacon API: Why would I want data to be sent to websites after I closed the page?
- Web Bluetooth: No, I don't want websites to communicates with devices over bluetooth, providing them yet an other way to track me, in the real™ world. Various sandbox escapes as a bonus.
- Privacy sandbox: flaming tracking garbage.
- Geolocation: Why would websites want to know my location, except for geoblocking, tracking and geotargeting? They usually already have my actual IP address, which is more than enough anyway, don't provide them with more.
- Referer: Yet another purely tracking-oriented misfeature from the past.
- Web NFC: Even the official usecases are dull and über-specific.
- navigator.hardwareConcurrency: why should websites care about how many logical cores my CPU has‽
- Magnetometer: use usecases section of the specification is hilarious, in a tragic way.
- Gyroscope: no.
- Ambient Light Events/AmbientLightSensor: What's the usecase for this? Changing the them of the website to match the current lighting mood?
- Accelerometer: can't have too many ways to track/identify your environment!
- Proximity Events: "When the device proximity sensor detects a change between the device and an object, it notifies the browser of that change.". What is the legitimate usecase for this? Implementing automatic parking for your car via your phone's web browser?
- Orientation Sensor/DeviceOrientation Event Specification: why should a website care how I handle my device?
- Battery Status API, deprecated, but still a shitty idea in the first place.
- Broadcast Channel API: "basic communication between browsing contexts and workers on the same origin.". It seems that it's simple to use Spectre in the first place.
- Content Index API: "The Content Index API allows developers to register their offline enabled content with the browser.". If I want to access a webpage offline, I just save it. No need for the browser to perform special shenenigans for this to happen.
- Web Periodic Background Synchronization API: "The Web Periodic Background Synchronization API provides a way to register tasks to be run in a service worker at periodic intervals with network connectivity. These tasks are referred to as periodic background sync requests.". One more oportunity to nuke my battery, excellent!
- PageTransitionEvent/Page Visibility API, no I don't need website to know if I'm looking at them or not.
- Network Information API, because of course websites have to know what type of connection I'm using. Just minimize the amount of data I need to download to browse your website, instead of thinking that I'm ok with more ads because I'm using a fiber connection, because I'm not.
- Screen Capture API: why would a website need to see how it's looking on my device‽
- Ping API: "Typically for tracking." → volcano.
- Web Periodic Background Synchronization API: I don't want website to silently do things behind my back.
- Storage Pressure Event: why would a website need to know if my device is running low on space? Just don't store your garbage client-side in the first place.
- Straight spam:
- Vibration API: great way to empty my battery and get on my nerve at the same time!
- Notification: just no. I don't want them on my phone, I don't want them on my desktop, I don't want them on the web. I want to be able to focus on what I'm doing, and not be constantly distracted. Also, in what situation would I want to allow a website to notify me of anything? Nothing they have to tell me about is urgent enough that it shouldn't be sendeable via email.
- Autoplay: I really love it when some random webpage decides to play audio on its own, and I have to hunt which one it is and where are the media controls on it.
- Contact Picker API, I can copy-paste phone numbers, thank you.
- Screen Wake Lock API, another really cool way to drain all my battery.
- Web App Manifest: I already have bookmarks, thanks.
- Modal Dialogs: just do it with html already.
- "Sponsored images": stop trying to shove ads everywhere.
- Popups: I thought we all agreed in the 1990s that those were the cancer of the internet, and should be eradicated.
- Run PWA on OS Login: no I don't want websites to crawl from the depths of my browser and be automatically run at my operating system's startup.
- Useless API:
- Barcode Detection API y tho.
- WebUSB: USB is horrible security-wise, and what would be the usecases anyway?
- Permissions API: since we now have a gigantic pile of API and weird features, we of course need an API to see which ones are available.
- WebSockets: "a two-way interactive communication session between the user's browser and a server.", I don't want interactivity, I want to read webpages.
- Web Storage API: client-side key-value storage, which should happen server-side instead.
- Background Tasks API: because everything is so bloated that we need asynchronism in resources processing.
- Merchant Validation: I knew that PHP5 had some credit card processing features, but it's no excuse to bolt some payment primitive dircetly into javascript.
- Microtransaction payment handlers: can't wait for the blockchain version.
- Payment Request API: the justification for this API's existence is that checkout forms are too cumbersome. A ton of sandbox escapes as a bonus.
- MediaStream Image Capture API, because of course I want my web browser to be able to use my webcam and take pictures! Sandbox escapes as a bonus.
- Push API: just use ajax
- Web Serial API: What website doesn't need to access a serial port nowadays? Sandbox escape as a bonus.
- The fuckton of useless CSS properties that nobody is using.
- Video encoders: "This feature ships an AV1 encoder in Chrome desktop, specifically optimized for video conferencing with WebRTC integration.", a common feature of websites, thus it's completely worth adding a complete video encoder in the browser.
- Raw Sockets API: the only usecase I see for this is DDoS and implementing nmap in javascript. Oh, and also, free SOP bypasses
- Misc junk:
- Craptocurrencies trading: fuck no.
- File System Access API: "It expands the current file capabilities of a browser and can enable developers to create software to open and save files. Software such as IDE's, photo or video editors and text editors, to name but a few.".
- File and Directory Entries API: "a "virtual drive" within the browser sandbox", to be used for drag'n'drop. Just use an upload form instead.
- Offline web applications: I don't want web pages to become applications. Stop having apps for everything. Moreover, most of the webpages aren't (and shouldn't be) super-interactive, and are already perfectly usable offline.
- IndexDB: because a fullfledged client-side SQL database sounds like a must-have to browse webpages. And of course, there is already IndexDB 2.0 and IndexDB 3.0, each 3 years distant from the other, a sane amount of time for everyone to implement something this complex. But I guess you gotta compete with Google to see who can deprecate the fastest! A metric ton of various interesting sandbox escapes as a nice bonus.
- SVG favicons: nobody is going to zoom on your favicons, or appreciate how crisp they are on a retina display.
- Pocket should be a web extension, not something bundled in my browser, ideally with a less shitty privacy policy.
- DOMMatrix: just use javascript arrays.
- Plugins support, like h264 or DRM in Firefox: Java and Flash were pure cancer in every possible ways, just trash this "feature" already.
- Heavy Ad Intervention: "These poorly performant ads (whether intentional or not) harm the user’s browsing experience by making pages slow, draining device battery, and consuming mobile data (for those without unlimited plans)." Fascinating. The same reasoning applies to every single ad: what about blocking them all?
- Quirk mode: If a website is important enough to warrant a special snowflake mode in a browser because it uses some obsbolete features/hacks, it surely can hire someone to fix their broken code.
- Internationalized domain name: because phishing isn't a thing. Punycode isn't a solution since it only covers ASCII domains spoofing.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK