Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss/twitter]

The web browser I'm dreaming of
Mon 17 May 2021 — download

Those are the main features I'm expecting from a web browser:

  • Written in a memory-safe-ish language that a plebeian like me can understand, review and contribute to, like rust and go or even lua or V, but please no lisp, elisp or haskell.
  • Sandboxed to death.
  • Ability to block ads because the web is a hot bubbling cesspool.
  • a sensible subset of modern https, html5, css3 and http 1.1 (and maybe http2 if you're feeling fancy, because multiplexing requests is neat),
  • basic javascript (or even better, typescript) support, with something like a dumb interepreter, also written in a memory-safe-ish language.
  • maybe tabs

Now here is a subset of the ones that I don't want, and that the vast majority of websites and their users either don't care about, don't use, or even shouldn't be using in the first place :

  • Ridiculous performance hacks:
    • WASM: The web used to be readable-ish, debuggable, observable-ish and introspectable. I don't want to run assembly in my web browser and lose those properties, for what exactly? Mining bitcoin/monero, cross compiling programs to make fun demos, and providing a RWX segment for every browser exploits.
    • Crazy optimizing compilers/JIT contraptions with ungodly hacks: we shouldn't need those to have usable webpages. Firefox, for example, has two-tier interpreter and two-tier JIT. Google Chrome has 3 tier JIT and an interepreter. Previously, it was JIT-only, then 2-tier JIT, then 2-tier JIT plus interpreter, then 3-tier JIT plus interpreter, then singler-tier JIT plus interpreter. I want my javascript to be stupidly interpreted, I don't want speculative type inference, I don't want profile-based optimizations, … I want less code involved with javascript, and I don't care about having near-native performances in this area if it comes as such a high-price complexity-wise.
    • DNS prefetching: self-host your resources, instead of delegating them to a steaming pile of untrusted statistics-hoarding CDN kinda obsoleted by http2 anyway.
    • Async and defer, instead of not loading gargantuate amounts of javascript.
    • Subresource loading with Web Bundles: no.
    • Battery-savings meta tag: don't eat my battery in the first place.
    • WebCodecs: "support emerging applications, such as latency-sensitive game streaming, client-side effects or transcoding, and polyfillable media container support". Nobody except Google is doing game streaming in a browser, and nobody except youtube wants to have web browsers doing transcoding.
  • Things my operating system is already doing, but apparently needs to be done by my special snowflake of a web browser.
  • Fuck accessibility misfeatures:
    • Encrypted Media Extensions, adding proprietary inscrutable blackblox garbage so that some people can watch netflix in their browser. Just give up on DRM already, they're useless at best, harmful at worst.
    • Frames: a thing from the past that should be thrown directly into the Sun.
    • Clipboard API: not only a privacy concern since website shouldn't be able to read/write into your clipboard, but also a nice opportunity to screw accessibility over by preventing people from copy/pasting content on websites. Sandbox escapes as a bonus.
    • Pointer Lock API: "It gives you access to raw mouse movement, locks the target of mouse events to a single element, eliminates limits on how far mouse movement can go in a single direction, and removes the cursor from view. It is ideal for first person 3D games, for example.". Because of course implementing FPS in a web browser is a such a common genuine usecase warranting an implementation of this feature in every single web browser.
    • Session history management, because manipulating the user's browsing history is of course a feature and not a horrible malpractice!
    • Print events, because adding annotation and watermarks is neat!
    • Disabling the spellcheck, what's even the usecase for this?
  • Multimedia stuff, because the web is the new demoscene apparently:
    • WebGL: My web browser isn't a game console. Microsoft even considered it harmful.
    • WebGL 2.0, because you can't deprecate/supersede shit fast enough, and having bleeding edge accelerated 3D graphics rendering in a web browser is an essential capability.
    • WebRTC: "real-time communication capabilities", in a web browser. Pepperidge farm remembers when chat apps weren't running in browsers.
    • Web MIDI API: to run synthesisers I suppose? Sandbox escapes as a bonus.
    • WebVR WebXR Device API, virtual reality, why…
    • Canvas API: "The Canvas API provides a means for drawing graphics via JavaScript and the HTML <canvas> element. Among other things, it can be used for animation, game graphics, data visualization, photo manipulation, and real-time video processing." all essential usecases for the vast majority of websites. Actually, a significant number of websites are using this API for tracking purposes.
    • WebGPU: I don't want to play games , I want to browse the web. I don't want my browser to have low-level access to my GPU and its stellar quality drivers.
    • Media Session API, to customize media notifications.
    • Gamepad support, because I've always dreamt of browsing the web with a joystick or a PS1 controler! Sandbox escape as a bonus.
    • Web Audio API: because without the ability to add effects to audio, mix sources, create audio visualizations and apply spatial effects, how would one reimplement ardour in a browser? On the bright side, processing audio is a straighforward process, and this added complexity will for sure never be a source of critical security issues.
    • A builtin PDF viewer: Can we please stop trying to shove every single desktop application in web browsers? It's not as if the PDF specification was a longuer-than-the-Bible trashfire complexity-wise that will invariably lead to catastrophic bugs anyway. Sandbox escape as a bonus.
    • Client-side video editing: I don't even.
    • Speech Recognition: this should be something globally available on your operating system; Imagine if every program on your computer was implementing this in their own fashion. Sandbox escape as a bonus.
  • Security misfeatures:
  • Exotic fileformats and protocols support
    • FTP support: the 70s called, they wanted their protocol invented before TCP/IP back.
    • Gopher support.
    • 3GP: "The format was designed for use on 3G mobile phones, but can still be used on more modern phones and networks."
    • QuickTime shit
    • ADTS/AAC: everyone uses mp3, ogg or flac except Apple and a few game consoles.
    • TIFF, because tiff is such a great format, and uncompressed/ghetto-compressed scanned photos are something common on the web.
    • BMP: horribly inefficient, nobody uses it anymore, just drop it already.
    • WAV: Uncompressed audio, nobody should use it to play sounds on webpages.
  • Tracking garbage:
  • Straight spam:
    • Vibration API: great way to empty my battery and get on my nerve at the same time!
    • Notification: just no. I don't want them on my phone, I don't want them on my desktop, I don't want them on the web. I want to be able to focus on what I'm doing, and not be constantly distracted. Also, in what situation would I want to allow a website to notify me of anything? Nothing they have to tell me about is urgent enough that it shouldn't be sendeable via email.
    • Autoplay: I really love it when some random webpage decides to play audio on its own, and I have to hunt which one it is and where are the media controls on it.
    • Contact Picker API, I can copy-paste phone numbers, thank you.
    • Screen Wake Lock API, another really cool way to drain all my battery.
    • Web App Manifest: I already have bookmarks, thanks.
    • Modal Dialogs: just do it with html already.
    • "Sponsored images": stop trying to shove ads everywhere.
    • Popups: I thought we all agreed in the 1990s that those were the cancer of the internet, and should be eradicated.
    • Run PWA on OS Login: no I don't want websites to crawl from the depths of my browser and be automatically run at my operating system's startup.
  • Useless API:
    • Barcode Detection API y tho.
    • WebUSB: USB is horrible security-wise, and what would be the usecases anyway?
    • Permissions API: since we now have a gigantic pile of API and weird features, we of course need an API to see which ones are available.
    • WebSockets: "a two-way interactive communication session between the user's browser and a server.", I don't want interactivity, I want to read webpages.
    • Web Storage API: client-side key-value storage, which should happen server-side instead.
    • Background Tasks API: because everything is so bloated that we need asynchronism in resources processing.
    • Merchant Validation: I knew that PHP5 had some credit card processing features, but it's no excuse to bolt some payment primitive dircetly into javascript.
    • Microtransaction payment handlers: can't wait for the blockchain version.
    • Payment Request API: the justification for this API's existence is that checkout forms are too cumbersome. A ton of sandbox escapes as a bonus.
    • MediaStream Image Capture API, because of course I want my web browser to be able to use my webcam and take pictures! Sandbox escapes as a bonus.
    • Push API: just use ajax
    • Web Serial API: What website doesn't need to access a serial port nowadays? Sandbox escape as a bonus.
    • The fuckton of useless CSS properties that nobody is using.
    • Video encoders: "This feature ships an AV1 encoder in Chrome desktop, specifically optimized for video conferencing with WebRTC integration.", a common feature of websites, thus it's completely worth adding a complete video encoder in the browser.
    • Raw Sockets API: the only usecase I see for this is DDoS and implementing nmap in javascript. Oh, and also, free SOP bypasses
  • Misc junk:
    • Craptocurrencies trading: fuck no.
    • File System Access API: "It expands the current file capabilities of a browser and can enable developers to create software to open and save files. Software such as IDE's, photo or video editors and text editors, to name but a few.".
    • File and Directory Entries API: "a "virtual drive" within the browser sandbox", to be used for drag'n'drop. Just use an upload form instead.
    • Offline web applications: I don't want web pages to become applications. Stop having apps for everything. Moreover, most of the webpages aren't (and shouldn't be) super-interactive, and are already perfectly usable offline.
    • IndexDB: because a fullfledged client-side SQL database sounds like a must-have to browse webpages. And of course, there is already IndexDB 2.0 and IndexDB 3.0, each 3 years distant from the other, a sane amount of time for everyone to implement something this complex. But I guess you gotta compete with Google to see who can deprecate the fastest! A metric ton of various interesting sandbox escapes as a nice bonus.
    • SVG favicons: nobody is going to zoom on your favicons, or appreciate how crisp they are on a retina display.
    • Pocket should be a web extension, not something bundled in my browser, ideally with a less shitty privacy policy.
    • DOMMatrix: just use javascript arrays.
    • Plugins support, like h264 or DRM in Firefox: Java and Flash were pure cancer in every possible ways, just trash this "feature" already.
    • Heavy Ad Intervention: "These poorly performant ads (whether intentional or not) harm the user’s browsing experience by making pages slow, draining device battery, and consuming mobile data (for those without unlimited plans)." Fascinating. The same reasoning applies to every single ad: what about blocking them all?
    • Quirk mode: If a website is important enough to warrant a special snowflake mode in a browser because it uses some obsbolete features/hacks, it surely can hire someone to fix their broken code.
    • Internationalized domain name: because phishing isn't a thing. Punycode isn't a solution since it only covers ASCII domains spoofing.