[HN Gopher] Shadow: New browser engine made almost entirely in J...
___________________________________________________________________
Shadow: New browser engine made almost entirely in JavaScript
Author : akling
Score : 217 points
Date : 2023-10-27 19:46 UTC (3 hours ago)
(HTM) web link (goose.icu)
(TXT) w3m dump (goose.icu)
| DarkNova6 wrote:
| This guy knows his audience well. He answers the question of "but
| why?" in the first sentence:
|
| > So I started making a browser engine (for fun) a few days ago,
| it felt kind of inevitable so here we are
|
| And I got to admit, it is pretty neat.
| zzzbra wrote:
| yet one still feels compelled to ask... pretty neat indeed.
| dirtyhippiefree wrote:
| I'm hearing: I did it for fun...never considered the
| possibility of JavaScript rootkits, because there's no fun in
| that...
| Almondsetat wrote:
| A shadow of the former self
| Pr0ject217 wrote:
| I don't think it's working for me (none of the keybinds work, and
| I don't see the fps counter). Brave, script-blocking disabled.
| bsimpson wrote:
| Did you click the demo?
|
| The linked page has a screenshot of the engine. You have to
| click through to get the full viewport experience (with
| keybindings).
| dugmartin wrote:
| It is a little unclear. You have to click the "Try it in your
| browser!" link: https://shadow.goose.icu/
| _Algernon_ wrote:
| The inevitable question then: Can you run this browser engine
| within itself, and if so, how many layers deep can you get before
| the universe implodes?
| kube-system wrote:
| > https://shadow.goose.icu/?https://shadow.goose.icu
|
| > Fatal error
|
| Not quite!
| runnr_az wrote:
| haha... I knew I wasn't gonna be the only one who tried that.
| forgotpwd16 wrote:
| Anything I tried returns fatal error. Is this really how it
| meant to browse a URL?
| kube-system wrote:
| That sounds consistent with the intro:
|
| > known issues
|
| > basically every site doesn't work ;)
| devman0 wrote:
| Not everything!
|
| I got https://shadow.goose.icu/?http://captive.apple.com/
| to work!
| mmsimanga wrote:
| Turtles all the way down
| bioneuralnet wrote:
| One assumes the JavaScript engine is just "eval(...)".
| canadahonk wrote:
| Nope! It uses Wasm (really WASI) builds of existing JS
| engines ;)
| jagged-chisel wrote:
| > Name
|
| > As with all my recent projects, the name is because ...
|
| This makes me whisper the name in my head
| Aardwolf wrote:
| First of all, very neat!
|
| Text selection doesn't work. I guess it's rendered to canvas...
| but would there be any way to make this work?
| monomere wrote:
| you would need to implement it manually, as with all the other
| features (shouldn't super complicated)
| Beijinger wrote:
| Nice. But I would have preferred if he had worked on Uzbl
|
| https://en.wikipedia.org/wiki/Uzbl
| jraph wrote:
| I don't get it. Uzbl is a webkit-based browser. Can you expand
| on this?
|
| It's not like one of those browser engines that are promising
| but not quite there yet, like NetSurf, Servo or Ladybird.
| Beijinger wrote:
| "The core component of Uzbl is written in C, but other
| languages are also used, most notably Python."
|
| Man, this thing was small and fast
| jameslk wrote:
| There's something really beautiful about creating a browser that
| can run in a browser. We can finally steamroll a lot of those
| cross browser incompatibilities by replacing the host browser
| engine entirely. It's like the nuclear option to fight against
| the new IE (Safari)
| IAmLiterallyAB wrote:
| I dunno I'd say the new IE is Chrome. They basically control
| the ecosystem and everyone targets them when developing. "Best
| viewed with Internet Explorer Chrome"
| leblancfg wrote:
| I think GP meant "the minority browser we bend our logic for,
| in order to accommodate"
| jameslk wrote:
| Yes, that is what I meant. I have to work on a lot of
| e-commerce websites and the WebKit browser engine is the
| one that seems to always be late to the party or outright
| won't support new features. But of course most shoppers on
| a website are on mobile Safari, especially the ones making
| purchases. And there's nothing anyone can do about it
| because Apple won't allow other types of browser engines on
| iOS.
| simondotau wrote:
| If you need "new features" not available in Safari in
| order to run an ecommerce website, I'm fairly confident
| that you're doing it wrong.
|
| (Of course usually when one delves into exactly what
| features Safari is missing, specifically the ones which
| piss off web developers, it's push notifications. And to
| that I salute Apple for bravely holding the line against
| that nonsense.)
| jameslk wrote:
| No, for me they have more to do with web performance.
| Look up how to track Largest Contentful Paint in Safari,
| for example. Many other types of ways to optimize
| websites are not available in Safari.
|
| IIRC push notifications are supported in Safari.
| simondotau wrote:
| The absence of LCP reporting doesn't affect your ability
| to build a website that works in Safari. My suggestion is
| to stop embedding eighteen third party performance metric
| platforms and your website will be faster than any of
| those platforms could ever make it.
|
| I work in this field too and I've heard it all before --
| and 99% of it is bullshit. Performance is a solved
| problem unless you build some ridiculous Rube Goldberg
| machine of libraries atop libraries.
| simondotau wrote:
| > "the minority browser we bend our logic for, in order to
| accommodate"
|
| The web is dead. All hail the Chrome Platform, where the
| official definition of correct behaviour is "whatever
| Chrome does."
|
| How _dare_ Apple force web developers to target more than
| one browser engine. Interoperability and platform
| agnosticism is for losers.
| xp84 wrote:
| This is interesting. Chrome is the new i.e. as i.e. was in
| 2002, namely, most people regarded it as "the only browser
| any normal person would ever use."
|
| Safari is the new i.e. in the sense that i.e. was in the late
| 2000s/early 2010s, meaning it's the browser that we would
| like to ignore due to how weird it is compared to the browser
| we normally target. And how stubborn the vendor is in neither
| acting like the majority browser, nor giving up and adopting
| a different engine (or in the case of iOS, even allowing a
| different engine to run).
| dirtyhippiefree wrote:
| I see: in the case of iOS, even allowing a different engine
| to run
|
| I'm hearing: iOS is *considerably more secure* like
| Blackberry was.
| tedunangst wrote:
| What features does shadow implement that are missing from
| safari?
| lionkor wrote:
| Right after we made the browser to fight cross-OS
| incompatibility, which were made to fight cross-smaller-OS
| incompatibility, which were made to fight machine code and
| punching card and hardware incompatibility...
|
| At some point maybe the web dev world will understand that,
| sometimes, you just have to live with the fact that there is no
| one true best solution, and instead build tools that are built
| with cross-platform in mind (like Qt, SDL, etc.).
| lodovic wrote:
| It would be interesting to have Firefox available in
| WebAssembly
| 3seashells wrote:
| Every Innovation, in its last dying motions becomes the world,
| the operating system, the compiler, the browser
| notorandit wrote:
| Wrong title. An almost complete web engine written in JavaScript.
| taddevries wrote:
| "Who knows what lurks in the hearts of [browsers]? The Shadow
| knows."
| klysm wrote:
| We are sorely lacking inner browser virtualization. This way web
| pages can virtualize other web pages internally via canvas and
| get true micro-front ends! Every component can be fully isolated
| from every other component and they will communicate via network
| requests to each other
| maciekpaprocki wrote:
| wait. why not iframes?
| nine_k wrote:
| You can inspect iframes.
|
| To make the web entirely like a TV, everything should be
| rendered on canvases. To let you truly deploy your org chart,
| each team should be responsible for one isolated canvas.
| DaiPlusPlus wrote:
| > To let you truly deploy your org chart, each team should
| be responsible for one isolated canvas.
|
| ...sounds like the Spotify desktop client.
|
| ...or Flutter-for-Web.
| Hackbraten wrote:
| Wait until scammers start adopting that technique for their
| fake websites. Each widget will then be responsible for its own
| bounded con text.
| omneity wrote:
| To sarcasm or not to sarcasm .. The line has never been
| thinner.
| biugbkifcjk wrote:
| Should add the browser for SerenityOS to the examples of new
| browser engines.
| canadahonk wrote:
| It's there - Ladybird (https://ladybird.dev)
| EvanAnderson wrote:
| There's a product here that's been waiting to happen for awhile.
| I've been anticipating somebody cross-compiling another browser
| engine to WASM but this works, too.
|
| Deliver your site only to the "inner browser" (that the user has
| no control over because it's heavily obfuscated and tricked-out
| with anti-debugging code) and you eliminate all ad blockers.
| Throw some DNS-over-HTTPS w/ certificate pinning in for good
| measure and you kill DNS-based ad blockers too.
|
| Accessibility will be a challenge but if it sells that'll get
| "fixed".
|
| (I think this idea is evil, BTW, but somebody is going to do it.)
|
| Edit: As an aside this needs to go here, too.
| https://www.destroyallsoftware.com/talks/the-birth-and-death...
| hughes wrote:
| Sounds a lot like Flash.
| DaiPlusPlus wrote:
| except without the local-system security risks
| EvanAnderson wrote:
| And no plug-in to download because everybody's browser has
| a highly-performant Javascript engine.
| imachine1980_ wrote:
| i don't feel having like extra virtual dom over the
| virtual dom of react, will make things highly-performant,
| god we need this doesn't happen. i wish to see the 0,1
| fps react crud app, that will come from this.
| szundi wrote:
| This is the plugin
| SoftTalker wrote:
| Says who?
| ta8645 wrote:
| I was worried from the very start of the WASM tech, that it
| would lead to the end of the user-controlled client. You don't
| even really need an embedded browser, a motivated provider
| could create a completely proprietary protocol for rendering
| their pages.
| EvanAnderson wrote:
| A browser is nice because the provider can continue to use
| their whole tech stack, hosting, dev tools, etc. Just wrap it
| in a proxy that only wants to talk to the "inner browser".
| thriftwy wrote:
| That you can do trivially even today. Just show your web site
| using in-browser VNC client.
| hot_gril wrote:
| That's the final form. Kinda like video game streaming.
| insanitybit wrote:
| People could have been doing this with JS for a long time. This
| is hardly the first virtual machine in JS and it seems like
| overkill.
|
| The far more likely way we'll see push back against Ad Blockers
| is by simply detecting that an Ad did not play and then
| refusing to display content until it does.
| rzzzt wrote:
| How about reversing the idea? Play the ad in the WASM browser
| and not pass it on to the outer instance.
| lodovic wrote:
| the outer instance is still needed for http requests, so it
| can still block ads
| None4U wrote:
| WebTransport + encryption
| kgwxd wrote:
| The internet advertising industry needs to move past insisting
| that user machines have to be involved in a business
| relationship they have nothing to do with and no legal, or
| ethical, obligation to uphold. All other forms of advertising
| work that way. The advertiser and host need to figure out how
| to keep each other honest without involving passers-by.
| cyanydeez wrote:
| Thing is, internet adtech involves a rock paper scissors
| evolution.
|
| It's not just a advertisement and a viewer, it's also the
| bots.
|
| Adtech is where it's at now just cause it wants you to see it
| but because a industry of faking viewership built up around
| it.
|
| No other advertisement has really had to deal with how ads
| are bought on per viewer basis.
|
| All the targeting tech is equally a response to
| "personalization" as it is to "fraudulent botters"
|
| You can then understand that if ads reverted to the old
| static billboard or tv commercial state, there's probably be
| little incentive to harass the user.
| adtac wrote:
| Certificate pinning is easy to work around if you know which
| bytes to change, so that's what adblocking will be
| chatmasta wrote:
| This might be something you fear, maybe even legitimately, but
| it seems hyperbolic to assign an equivalence to your worst fear
| and the passion project of an individual who made this and
| probably does not have any of the nefarious intentions you
| default to attributing to anyone who could create something
| resembling it.
| everfree wrote:
| That sounds somewhat similar to the Chrome team's Web
| Environment Integrity proposal.
|
| https://news.ycombinator.com/item?id=36778999
| cyanydeez wrote:
| Godel would like a word with you.
|
| https://plato.stanford.edu/entries/goedel-
| incompleteness/sup....
| bhaney wrote:
| At that point I'm just going to have my ad blocker block the
| entire "inner browser." No website that would employ such a
| lovecraftian horror is worth visiting anyway.
| tshaddox wrote:
| Presumably the worry is that the big ad companies would get
| approximately every website in the world to use this
| technique, which is already the only reason web advertising
| is such a big problem.
| __MatrixMan__ wrote:
| The next step in the arms race is to provide hosted ad
| blocking, where the action happens (however nested) in a
| headless server and an AI looks it over and relays only the
| stuff that looks like content into a cleaned up session for the
| user. It would eventually start looking like a CDN where the ad
| blocker caches the content so it doesn't have to bother
| contacting the underlying site so often.
|
| I would pay for such a service.
| tshaddox wrote:
| > Deliver your site only to the "inner browser" (that the user
| has no control over because it's heavily obfuscated and
| tricked-out with anti-debugging code) and you eliminate all ad
| blockers. Throw some DNS-over-HTTPS w/ certificate pinning in
| for good measure and you kill DNS-based ad blockers too.
|
| I'm confused how the "inner browser" meaningfully helps you
| accomplish this. How is this any easier or more effective than
| just having a website that hosts its own advertising assets (or
| proxies them) and obfuscates/randomizes its DOM structure to
| make ads difficult to target with simplistic ad-blocking rules?
| NetOpWibby wrote:
| Brilliant. I love this so much.
| doublerabbit wrote:
| FreeBSD, FireFox 115.0 - Fails.
|
| I get a page of White and Black and <shadow> as a title.
| CodeCompost wrote:
| https://shadow.goose.icu/?http://acid3.acidtests.org/
| orangepurple wrote:
| Are we one step closer to using a VNC client to access services
| on the Internet?
| quelsolaar wrote:
| When desktop applications running in electron, just doesnt have
| enough web abstraction to keep up with mores law, a hero comes
| along, to ensure there can always be one more level of java
| script between you and a responsive UI.
| Terr_ wrote:
| Speaking of Electron... when I start my Slack client for work,
| there are a series of processes where at least one reports
| 1.130 _terabytes_ of virtual memory. (Shown in top as "VIRT".)
|
| Now, maybe that's just a _potential_ usage that trust-me-bro it
| 'll never _actually_ try to use or access in RAM or on disk...
| but how on earth is that number for a _chat client_ so much
| bigger than either Firefox with 100+ tabs or even Java-based
| IDEs like Webstorm?
| cangeroo wrote:
| Virtual memory is allocated for isolation reasons. See v8
| isolates.
| jsight wrote:
| There must be a term for this sort of situation.
|
| Something about coming full circle, but that full circle is
| inside of a dumpster fire.
|
| Also, I love this. This is fine.
| bobajeff wrote:
| I think it's pretty cool. Maybe browsers are the kind of thing
| that should be written in s high level language like js. Except
| for the JavaScript engine of course.
| uoaei wrote:
| Opening up not just a can but a whole writhing pit of worms with
| regard to security vulnerabilities.
| canadahonk wrote:
| It is technically memory safe :^)
| raytopia wrote:
| Cool project! Reminds me of Grail https://grail.sourceforge.net/
| which was written entirely in Python.
___________________________________________________________________
(page generated 2023-10-27 23:00 UTC)