Post AIUJSaceTfWgoRgPSq by alcinnz@floss.social
(DIR) More posts by alcinnz@floss.social
(DIR) Post #AIUJSUQjV4QXbk3o3M by alcinnz@floss.social
2022-04-15T22:51:55Z
2 likes, 7 repeats
Quoting an anonymous Twitter user (got harrassed for these statements):"Safari is buggy" is a valid criticism."Safari is behind Chrome in features" is not a valid criticism.Never forget that the browser vendors, including Google and Apple, seized control of the web from the W3C. These few companies have too much power over the web, period.1/8
(DIR) Post #AIUJSYjJVvfOwWmhZQ by alcinnz@floss.social
2022-04-15T22:52:22Z
2 likes, 4 repeats
The web has massive feature bloat. It's a privacy and security nightmare.I personally think we should abolish JavaScript and not allow arbitrary remotely loaded code to execute on our computers."I want web sites to do everything a native app can do" is a suicidal mistake.2/8
(DIR) Post #AIUJSZGzUibacyXb3w by alcinnz@floss.social
2022-04-15T22:52:54Z
0 likes, 5 repeats
The more features that are added to the web, the less browser competition is possible! This is essential to recognize.And Google knows it! That's the whole point.Who can keep up with Google? Mozilla can't. Apple can't. Even Microsoft threw in the towel and adopted Chromium.3/8
(DIR) Post #AIUJSZlpe3H8AcyE8O by alcinnz@floss.social
2022-04-15T22:54:32Z
0 likes, 6 repeats
Imagine a small company trying to write their own web browser from scratch nowadays. It's just not possible! The web is so complex, there's no choice but to adopt one of the few existing browser engines: Chromium, WebKit, Gecko. That's it. The competitive landscape is bleak.4/8"Everyone has to adopt Chromium" is exactly Google's plan.Who controls the dominant browser engine controls the web.5/8
(DIR) Post #AIUJSaEttyWlcmZRRY by alcinnz@floss.social
2022-04-15T22:55:06Z
0 likes, 4 repeats
In a sense, there's no point in even having "web standards" anymore.Web standards theoretically allow *anybody* to implement a browser engine. But if the "standards" are sufficiently huge, then practically *nobody* can implement a browser engine.6/8
(DIR) Post #AIUJSaceTfWgoRgPSq by alcinnz@floss.social
2022-04-15T22:55:28Z
4 likes, 7 repeats
I've personally implemented software from scratch using RFC as a guide, in several different areas.But a web browser engine? Forget it!The "standards" now are nothing more than Chromium, WebKit, Gecko, and their individual quirks. How can there be a new engine?7/8The web is not "open" if nobody new can write a web browser engine. It's the illusion of openness.8/8 Fin!
(DIR) Post #AIULwGJyilxaRgE2Ay by atyh@pleroma.atyh.cc
2022-04-15T23:24:04.182383Z
0 likes, 0 repeats
@alcinnz You will never recover the web as a whole. There are too many megacorporations, financial institutions, and government entities with a vested interest to keep it the way it is. Your best bet is to get on board with projects like Gemini, Spartan, Bitreich's gopher project, and other smol web protocols.
(DIR) Post #AIULwGuUX1AQGvJC5Y by neanderthalsnavel@noagendasocial.com
2022-04-15T23:27:43Z
0 likes, 0 repeats
@atyh @alcinnz You left out CSS. We were doing just fine with Tables. The UX designers demanded CSS and everything went to hell.
(DIR) Post #AIULxial64rKPmlhpI by amolith@mk.nixnet.social
2022-04-15T23:27:58.732Z
0 likes, 0 repeats
@alcinnz@floss.social this is very good thread, thank you for cross-posting :ablobcatheadbang:the web browsers interact with is so bad :akko_badday:
(DIR) Post #AIUPaxOuGu8ZV3cvgG by pj@bitcoinhackers.org
2022-04-16T00:08:43Z
1 likes, 0 repeats
@alcinnz If you dislike progress, there's always email. Email is still on HTML 1.0
(DIR) Post #AIUn3Aeat9m3epO37I by digdeeper@mastodon.honeypot.im
2022-04-16T04:31:15Z
0 likes, 0 repeats
@alcinnz Blame the webdevs. If people developed directly in HTML, this wouldn't happen and you'd be able to use your favorite "minimal" browsers. But they'd rather click a few buttons in a bloated "framework" and then also load a bunch of third party trash like recaptcha.If people cared about how things work, and took some pride in designing something of their own, the big corpos would lose their power in a flash.
(DIR) Post #AIUnFz4FHG4dUJUkKm by sharow@fosstodon.org
2022-04-16T04:24:17Z
0 likes, 0 repeats
@alcinnzThere were more browser engines at the time.I actually worked on one of them.http://www.helgefjell.de/browser.phpOne thing I want say, Flash is not bad as people arguing. it's just crappy-implementation and not open-sourced.if you support Flash plugin (NPAPI interface), you get video, audio, vector-graphics, funcy-filters, and even script. you can focus to basic W3C stuff. FIash is container of arbitrary funcy stuff. I can watch Youtube by our browser, because it's just flash-video back then.
(DIR) Post #AIUnG02VfCHOVDgsGe by sharow@fosstodon.org
2022-04-16T04:24:53Z
0 likes, 0 repeats
@alcinnz Today, you need to implement EVERYTHING(canvas, svg, video, audio,...). They did standardlize those arbitrary plugin crap. thats makes browser chubby. and still continue ...
(DIR) Post #AIUnG0djQo3OMf6bHk by alcinnz@floss.social
2022-04-16T04:31:41Z
1 likes, 0 repeats
@sharow Yeah, as someone who's building my own browser engine: I agree, it's perfectly feasible to implement your own if you stick to the basics. To find (usually a terminal) browser which is reasonable to audit.However I would state that your link doesn't do a good job at making this point. It's full of WebKit-based browsers and Firefox forks, with a few terminal browsers.
(DIR) Post #AIUoJCAl6qZ0xIdXIO by alcinnz@floss.social
2022-04-16T04:45:30Z
0 likes, 0 repeats
@digdeeper Yup, that is something to advocate!However you can't let the education-industrial-recruitment off the hook either. Codecamps are focusing on the hot new framework from Meta or Google in their poor excuse for education, and recruiters are expecting these skills.Nor the W3C for focusing near-exclusively on JavaScript APIs recently.
(DIR) Post #AIUoKQXlAE7VodyyhM by alcinnz@floss.social
2022-04-16T04:45:37Z
0 likes, 0 repeats
@digdeeper Yup, that is something to advocate!However you can't let the education-industrial-recruitment off the hook either. Codecamps are focusing on the hot new framework from Meta or Google in their poor excuse for education, and recruiters are expecting these skills.Nor the W3C for focusing near-exclusively on JavaScript APIs recently.
(DIR) Post #AIUp5A8nxw6EYSay92 by digdeeper@mastodon.honeypot.im
2022-04-16T04:54:13Z
0 likes, 0 repeats
@alcinnz Right. However, how much influence does a regular person have on what the big corpos are doing?Until the systemic problems are fixed at their roots somehow, we can only do what we can. Which is, well, what I said earlier.
(DIR) Post #AIUuxieWMtBMzzGRWa by rigo@mamot.fr
2022-04-16T06:00:11Z
0 likes, 0 repeats
You could do like Vivaldi: fork an engine & remove the invasive parts. Google did not start from scratch, they forked webkit. Apple did not start from scratch, they forked KHTML. What you DO need for such work is solid financing. Now is the moment to ask EU governments for that. A competing OS browser would be the act of sovereignty they are talking so much about.
(DIR) Post #AIUvEGfNfnV97lYcJE by ryo@social.076.ne.jp
2022-04-16T05:53:59.093483Z
0 likes, 0 repeats
@digdeeper @alcinnz Like how I noticed on Thorchain's website.See my rant about how they made it so HTML's "a" tags exclude "href" attributes unless you enable JavaScript:https://social.076.ne.jp/notice/AIOjYsSsVyVNFqfpzM
(DIR) Post #AIUvEHIjJUyd5ny2ds by digdeeper@mastodon.honeypot.im
2022-04-16T06:02:58Z
0 likes, 0 repeats
@ryo @alcinnz Wow. Insane.
(DIR) Post #AIVJ1o6oQC2dymymae by Starfia@mastodon.social
2022-04-16T10:29:49Z
0 likes, 0 repeats
Heehee.
(DIR) Post #AIVPgxOzGYlI6u3ETQ by straw@socks.pinnoto.org
2022-04-16T08:04:25Z
1 likes, 0 repeats
@alcinnz I like the ease of creating beautiful things with CSS, and the hackiness of HTML, but my love for web technology stops there
(DIR) Post #AIWImAAii6KodssC24 by forever@fedi.nullob.si
2022-04-15T23:27:29.695Z
0 likes, 0 repeats
~> @alcinnz@floss.social I do not think JS should be abolished.I think that it simply should not be allowed on normal webpages. There should be a different, seperate type of webpage that allows JS.
(DIR) Post #AIWImAcj1yji2jyYgS by LunaDragofelis@embracing.space
2022-04-16T00:18:04Z
0 likes, 0 repeats
@forever @alcinnz maybe a separation between web pages and web apps
(DIR) Post #AIWImB7DCd7fZIEuCe by Seirdy@pleroma.envs.net
2022-04-16T22:01:41.823779Z
0 likes, 0 repeats
@LunaDragofelis @forever @alcinnz been tryna figure put a way to programmatically figure out if a webpage is *not* a web app, *and* is safe to customize and use media queries on without fingerprinting. And I think I figured it out.1. The page's CSP must have the equivalent of "connect-src: none" and a "sandbox" directive that has nothing more than "allow-same-origin" and "allow-downloads".2. The CSS has no background images or @import directives3. The page uses a secure cipher suite (no injection)4. The HTML's image srcsets do not convey any information about the display or viewport size.5. The HTML's "media" attributes do not conditionally load resources with more than two conditional branches. Loading a light or dark image is fine, for instance; too many options can reveal information that is too exact.It's probably possible to make no. 1 more relaxed for forms; specifying a single specific absolute URL for a form endpoint should be okay.For no. 2, I decided a blanket ban on CSS loading external resources is for the best. Inline CSS combined with external loading can tell a server if the user has CSS enabled or uses CSS overrides.For number 4: even coarse imprecise information about a display is risky. Site A knows your display is under 1400 pixels, Site B only knows its above 1350 pixels. If site A and B share information then we suddenly have pretty exact information.If all of the above check out, a web-lite user agent can load the page and treat it as a web document, forbidding it from making any requests after loading is complete. Otherwise, it can prompt the user to open in the default browser.
(DIR) Post #AIWJLvvV9U3esyoMFM by forever@fedi.nullob.si
2022-04-16T22:05:02.206Z
0 likes, 0 repeats
~> @Seirdy@pleroma.envs.net @LunaDragofelis@embracing.space @alcinnz@floss.social hmmmi kinda disagree with the second pointon my personal website i @import a style.css and have set up CORS on my other sites to allow that same file to be loadedit's not much of anythingand on random.amongtech.cc the images are imported from codebergmany things use external resources so um. yea
(DIR) Post #AIWJLwacgax2wW3CLI by Seirdy@pleroma.envs.net
2022-04-16T22:08:11.548893Z
0 likes, 0 repeats
@forever @alcinnz @LunaDragofelis the problem is that not everyone is as cool as you, and some can misuse them.It's better to just concatenate your files or only reference them from HTML, to reduce the scope of conditional loading.I'm trying to do this so eventually someday the Tor Browser can figure out that it's safe to turn on dark mode, accessibility tweaks, and other customizations. I need to err on the side of safety.
(DIR) Post #AIXBQIHfMeFAuRht3I by lectie@mastodon.lol
2022-04-17T07:30:40Z
0 likes, 0 repeats
@alcinnz I agree with most of the thread, but I think it’s a really good thing that a website can do most of what a desktop app can! There’s a far lower barrier of entry to making a website than to making a native app, and I don’t want to have to download a native app to buy something from an online store or join a social media platform.Even mastodon is built primarily on the web, and it relies on the ability to execute (some) code in the browser to work!
(DIR) Post #AIXBQIzcjDPD6mGzZI by iron_bug@friendica.ironbug.org
2022-04-17T07:43:59Z
0 likes, 0 repeats
lower barrier of entry? but who cares?imagine you has come to a restaurant and they say: we have some noobs working here, please enjoy this unedible burnt crap. we has too little time to cook that. ot at a dentist clinic they claim something like: out dentist is too stupid and unskilled and thus we will pull out your teeth because we cannot fix them. this is something wrong, don't you find it?then why users should consume something that is made by some stupid monkeys in software? this is not a service, this is crap.
(DIR) Post #AIXBQJiI398PLJAfBo by lectie@mastodon.lol
2022-04-17T07:48:25Z
0 likes, 0 repeats
@iron_bug @alcinnz most businesses with a website aren’t in the business of having a website. I don’t care about the quality of their website, I care about the quality of their service (which ISNT the website).Sure, a restaurant website or a website for a dentist might be crappy, but it’s much better than not having a website at all. It’s *good* that I can see phone numbers, menus, hours, and information.
(DIR) Post #AIXBQKLdgqbtJLa5WS by iron_bug@friendica.ironbug.org
2022-04-17T07:53:48Z
0 likes, 0 repeats
nope. site is also a business and the quality of service. programmer is a profession. and user data leaks from different crappy websites is the proof. it should not be like that. non-profrssional noobs should not approach the development in production. one may train to cook or program (or anything else) at home. but when it comes to work - there should be a professional standards and requirements for hiring personnel. nobody wants shitty service. and software is a service too.
(DIR) Post #AIXBQKrBnXqatCLHhQ by lectie@mastodon.lol
2022-04-17T08:00:02Z
0 likes, 0 repeats
@iron_bug @alcinnz programming is a profession, yes. But many small businesses and organizations *do not have it in their budget to higher a programmer*. Nor should they need to. We cannot impose our professional standards on other fields. It’s like saying “everyone should be required to hire a graphic designer when making a poster”. No, that’s absurd!
(DIR) Post #AIXBQLdksyhBJp44Om by iron_bug@friendica.ironbug.org
2022-04-17T08:04:51Z
0 likes, 0 repeats
they shouldn't. there're IT companies for this. IT should deal with IT. doctors should cure, tailors should sew, bakers should bake. and there's no need for "small businesses" to cook their bread for breakfast and have a personal tailor to sew a pants. this is senseless.
(DIR) Post #AIXBQMFgbx2LDSoMWO by lectie@mastodon.lol
2022-04-17T08:12:19Z
0 likes, 1 repeats
@iron_bug @alcinnz I personally prefer a web where anyone can make a website to one where you have to hire a firm to make it for you.Most websites need not be perfect. People cook for themselves, people clean for themselves, and people can make websites for themselves.Besides: most people trying to make a website will either:- end up with a static site, with no security risks, OR- use a firm like SquareSpace (in which case the onus is on SquareSpace)
(DIR) Post #AIazkDljRHxzsdLSaG by doctormo@mastodon.social
2022-04-19T03:48:03Z
3 likes, 5 repeats
@alcinnz From an Inkscapian/SVG perspective the W3C (i.e. google and mozilla) have been shitting all over our standards work for years.Then when we get svg 2.0, they do *nothing* to implement it. Once again leaving Inkscape the only software to support a web standard that it couldn't get it's own needs into.When people say re-write inkscape as html5 tool, they have this idea that svg is well supported in Chrome. It is NOT.
(DIR) Post #AIazvFc8v0iWmy7SbI by veer66@norze.world
2022-04-19T04:24:00.674437Z
0 likes, 0 repeats
@alcinnz Even Servo isn't yet usable. 😿
(DIR) Post #AIb0Bi44uL83ez2Akq by veer66@norze.world
2022-04-19T04:26:57.331937Z
0 likes, 0 repeats
@doctormo I used to think similar to what you mentioned. But now I stop since Inkscape can display "ทำ" recently. Now I'm happy. @alcinnz
(DIR) Post #AIb1oiIo3fgHe25M5w by doctormo@mastodon.social
2022-04-19T04:37:13Z
1 likes, 0 repeats
@veer66 @alcinnz kap-koon kap!
(DIR) Post #AIb3HhlZELTEKlvTai by Seirdy@pleroma.envs.net
2022-04-19T05:01:42.811652Z
0 likes, 0 repeats
@doctormo @alcinnz …and this is why I stick to the SVG subset that is supported in SVG 2.0, SVG 1.2 Tiny, and SVG 1.1 In the secure static processing mode that works in <img> elements. For icons I take it a step further and stick to SVG Tiny Portable/Secure.Because then I know my images will be supported in Qt, librsvg, NetSurf, SerenityOS, old web browsers, and most other things that handle SVG.
(DIR) Post #AIbCmj2bRL32qtlEki by Sandra@idiomdrottning.org
2022-04-19T06:25:50.233896Z
0 likes, 4 repeats
@doctormo Sodipodi/Inkscape is such a success story over why XML rules and JSON drools, namely namespaces and schema. The generational paradigm shift to JSON has been such a NIH-driven nightmarish reinvention of everything but worse. (JSON made some amount of sense when you were deserializing your own known-safe objects, but the fact that i.e. ActivityPub is in JSON is messed up.)Yeah, SVG as a web standard is not doing well.SVG as Inkscape's format works well but it's a square-peg fit—everything (that has, for example, path effects) needs to be represented twice, both with all the Inkscape concepts and handles, and as viewable-everywhere plain paths. Kinda strange from the perspective of a platonic ideal vector serialization format. But, again, thanks to the life-changing magic of name spaced tagged tree data that is XML, at least it works. ♥
(DIR) Post #AIbCmjQM122y2YsCm0 by Sandra@idiomdrottning.org
2022-04-19T06:33:08.199542Z
1 likes, 0 repeats
@alcinnz Safari is so nice ♥ Epiphany / Gnome Web is awesome.But yeah, world-writable execution a.k.a. JavaScript was a mistake.
(DIR) Post #AIbDZMenS43lcRooN6 by alcinnz@floss.social
2022-04-19T04:03:41Z
0 likes, 0 repeats
@doctormo I'm not surprised! Afterall, it took them forever to implement new form inputs! And CSS seems to be at a lower priority for them than JavaScript.Btw, very soon I'll start/continue discussing the SVG renderer I'm planning to pull in for Haphaestus. Pure Haskell, uses a different XML parser than I am but renders to the same image type I plan to use otherwise. Thought you might be interested!
(DIR) Post #AIbDZNIr386PcgYnoG by doctormo@mastodon.social
2022-04-19T04:39:42Z
0 likes, 0 repeats
@alcinnz Of course!SVG is a really hard spec to support, but I love to see new ones. Most might be tempted to just use librsvg... which would negate javascript and SMIL but would be better than Chomr eofr mesh gradients at least ;-)
(DIR) Post #AIbDZNu4ojsPU7yWpM by Seirdy@pleroma.envs.net
2022-04-19T06:56:55.259065Z
0 likes, 0 repeats
@doctormo @alcinnz librsvg is quite capable but it’s typically packaged with a metric ton of dynamically linked libraries. Would be cool to see a “librsvg-lite” package.SVG is a really hard spec to support, but I love to see new ones.SerenityOS’s LibWeb’s SVG component, NetSurf’s Libsvgtiny, and resvg are some that I have my eyes on.
(DIR) Post #AIbFzxecienrnkY0u0 by Seirdy@pleroma.envs.net
2022-04-19T07:24:09.679064Z
0 likes, 0 repeats
@Sandra @alcinnz WebKit was kind of a mess last I checked. A bunch of site-specific quirks, a history of idiosyncratic handling of ARIA roles, half-baked poorly-researched fingerprint defenses, and a generally messy C++ codebase. At least it's lightweight and easy to embed with libwpe.Well, that all describes WebCore. JavaScriptCore is actually really good on ARM processors; no other JIT compiler really compares to its exploit mitigations, though V8 will be catching up soon.
(DIR) Post #AIbG7YARMXWH4X33kO by humanetech@mastodon.social
2022-04-19T07:19:50Z
1 likes, 1 repeats
@Sandra @doctormo > but the fact that i.e. #ActivityPub is in #JSON is messed upYou'll likely dig the #XMPP direction that #openEngiadina went then.https://inqlab.net/2021-11-12-openengiadina-from-activitypub-to-xmpp.htmlhttps://inqlab.net/2022-01-17-activitystreams-over-xmpp.htmlhttps://inqlab.net/2022-04-14-geopub-datalog-rdf-and-indexeddb.html
(DIR) Post #AIbG9vDiciUF9GiFlY by Sandra@idiomdrottning.org
2022-04-19T07:25:41.395758Z
1 likes, 0 repeats
@Seirdy What I love about it can be summarized in twelve bytes: fuck google!
(DIR) Post #AIbU9Jnz89RWSxHZYG by iron_bug@friendica.ironbug.org
2022-04-16T10:09:39Z
0 likes, 0 repeats
but sometimes I want to start a new engine. amone the existing ones I like Netsurf: it's written in C and has the most compact and robust realization, and their own renderer.
(DIR) Post #AIbU9KITInpTzVXv4S by alcinnz@floss.social
2022-04-16T10:10:52Z
0 likes, 0 repeats
@iron_bug Same here!
(DIR) Post #AIbU9KsH9gT9mYIVsW by iron_bug@friendica.ironbug.org
2022-04-16T10:59:45Z
0 likes, 0 repeats
more problems is graphics and direct memory access that they made specially for browsers. I believe it was a deadly mistake. the most untrustworthy and buggy software has direct access to video bugffers in system. this is wrong, just wrong. and JS turns any browser into malware, factually. so the web as it is now is something evil and dangerous.
(DIR) Post #AIbU9LUCseoJgC2o08 by ixn@mastodon.xyz
2022-04-17T02:43:36Z
1 likes, 0 repeats
@iron_bug @alcinnz Modern GPUs (i.e. anything supporting WebGL) have enough isolation that malicious code shouldn't be able to do anything worse than a denial-of-service by causing GPU timeouts.(But even that can kill the display server with some drivers.)It's not like any GPU would have a vulnerability allowing modification (and possibly reading) of another process' graphics memory, right? Right?(Hint: some do)
(DIR) Post #AIc8gZEamZq02d8Xtw by loke@functional.cafe
2022-04-19T07:24:51Z
1 likes, 3 repeats
@Sandra @doctormo XML got such a bad reputation because in the late 90's people were screaming that XML was the solution to everything (similar to how some people argue that blockchains are the solution to everything today).The solutions some people built were so horrendous that the backlash led to JSON, which ignores all the good things about XML, and even the things where it improves on XML is done poorly (unspecified numeric precision in an interchange format. what the actual F?)
(DIR) Post #AIc96ElDWgHM4XdZ8i by lanodan@queer.hacktivis.me
2022-04-19T17:41:32.928893Z
1 likes, 1 repeats
@loke @Sandra @doctormo Yeah, XML vs. JSON is comparing a Bazaar and a Cathedral.And I would argue that people who can't do the difference should be taken as incompetent and should be blatantly ignored when it comes to choosing formats.
(DIR) Post #AIc9aeg7jEph8tl82i by icedquinn@blob.cat
2022-04-19T17:47:04.138449Z
1 likes, 0 repeats
@lanodan @loke @Sandra @doctormo :comfypeek: people really didn't understand the point of SGML. then took its interchange form (XML) and then used it wrong (Java config files.) :blobcatgooglypen:
(DIR) Post #AIc9qIy4DRXiRRc9gG by icedquinn@blob.cat
2022-04-19T17:49:53.902062Z
0 likes, 0 repeats
@lanodan @Sandra @doctormo @loke there is this book called "Building APIs You Won't Hate" that i read and it details how bookface and birdsite both started with json and then basically just reinvented xml on top of it again.and if you want a worse nightmare than the variable precision numbers, know that crypto code in JS spaces likes to sign the json object (not a serialized form of it) so to check if a json object's signature is valid you have to make extra special care that you don't end up accidentally rounding those numbers while reading them to print the canonized output to check the signatures against. :blobcatsleepless:
(DIR) Post #AIcAOu9aSyHNcKV8wC by lanodan@queer.hacktivis.me
2022-04-19T17:56:07.809871Z
1 likes, 0 repeats
@icedquinn @loke @Sandra @doctormo JSON fucking LD Signatures does that.And somehow I think Mastodon still hasn't grasped that it is a terrible idea, they only slightly stopped using it because having an eternally valid signature would be a disaster for privacy (Plausible Deniability).And while we're at it: JSON-LD is just adding the annoying part of XML (URL namespaces you must fetch at least once) without any of the good parts (gracious fallbacks, offline-aware namespaces, …).