Most active commenters
  • lukan(5)
  • gmueckl(4)

←back to thread

742 points janpio | 23 comments | | HN request time: 1.018s | source | bottom
Show context
arccy ◴[] No.45676475[source]
If you're going to host user content on subdomains, then you should probably have your site on the Public Suffix List https://publicsuffix.org/list/ . That should eventually make its way into various services so they know that a tainted subdomain doesn't taint the entire site....
replies(15): >>45676781 #>>45676818 #>>45677023 #>>45677080 #>>45677130 #>>45677226 #>>45677274 #>>45677297 #>>45677341 #>>45677379 #>>45677725 #>>45677758 #>>45678975 #>>45679154 #>>45679258 #
0xbadcafebee ◴[] No.45677379[source]

  In the past, browsers used an algorithm which only denied setting wide-ranging cookies for top-level domains with no dots (e.g. com or org). However, this did not work for top-level domains where only third-level registrations are allowed (e.g. co.uk). In these cases, websites could set a cookie for .co.uk which would be passed onto every website registered under co.uk.

  Since there was and remains no algorithmic method of finding the highest level at which a domain may be registered for a particular top-level domain (the policies differ with each registry), the only method is to create a list. This is the aim of the Public Suffix List.
  
  (https://publicsuffix.org/learn/)
So, once they realized web browsers are all inherently flawed, their solution was to maintain a static list of websites.

God I hate the web. The engineering equivalent of a car made of duct tape.

replies(6): >>45677442 #>>45678161 #>>45678382 #>>45678520 #>>45678922 #>>45679006 #
lukan ◴[] No.45677442[source]
"The engineering equivalent of a car made of duct tape"

Kind of. But do you have a better proposition?

replies(2): >>45677503 #>>45678251 #
1. gmueckl ◴[] No.45677503[source]
A part of the issue is IMO that browsers have become ridiculously bloated everything-programs. You could take about 90% of that out and into dedicated tools and end up with something vastly saner and safer and not a lot less capable for all practical purposes. Instead, we collectively are OK with frosting this atrocious layer cake that is today's web with multiple flavors of security measures of sometimes questionable utility.

End of random rant.

replies(4): >>45677688 #>>45677734 #>>45677747 #>>45678076 #
2. sefrost ◴[] No.45677688[source]
You are right from a technical point, I think, but in reality - how would one begin to make that change?
3. lukan ◴[] No.45677734[source]
"You could take about 90% of that out and into dedicated tools "

But then you would loose plattform independency, the main selling point of this atrocity.

Having all those APIs in a sandbox that mostly just work on billion devices is pretty powerful and a potential succesor to HTML would have to beat that, to be adopted.

The best thing to happen, that I can see, is that a sane subset crystalizes, that people start to use dominantly, with the rest becoming legacy, only maintained to have it still working.

But I do dream of a fresh rewrite of the web since university (and the web was way slimmer back then), but I got a bit more pragmatic and I think I understood now the massive problem of solving trusted human communication better. It ain't easy in the real world.

replies(3): >>45677833 #>>45677843 #>>45678003 #
4. nemothekid ◴[] No.45677747[source]
>A part of the issue is IMO that browsers have become ridiculously bloated everything-programs.

I don't see how that solves the issue that PSL tries to fix. I was a script kiddy hosting neopets phishing pages on free cpanel servers from <random>.ripway.com back in 2007. Browsers were way less capable then.

replies(1): >>45677763 #
5. lukan ◴[] No.45677763[source]
PSL and the way cookies work is just part of the mess. A new approach could solve that in a different way, taking into account all the experience we had with scriptkiddies and professional scammers and pishers since then. But I also don't really have an idea where and how to start.
replies(1): >>45677820 #
6. shadowgovt ◴[] No.45677820{3}[source]
And of course, if the new solution completely invalidates old sites, it just won't get picked up. People prefer slightly broken but accessible to better designed but inaccessible.
replies(2): >>45678253 #>>45679014 #
7. gmueckl ◴[] No.45677833[source]
But do we need e.g serial port or raw USB access straight from a random website? Even WebRTC is a bit of a stretch. There is a lot of cruft in modern browsers that does little except increase attack surface.

This all just drives a need to come up with ever more tacked-on protection schemes because browsers have big targets painted on them.

replies(5): >>45677839 #>>45677890 #>>45678065 #>>45678383 #>>45679283 #
8. shadowgovt ◴[] No.45677839{3}[source]
How else am I going to make a game in the browser that be controlled with a controller?
replies(1): >>45678826 #
9. smaudet ◴[] No.45677843[source]
> Having all those APIs in a sandbox that mostly just work on billion devices is pretty powerful and a potential succesor to HTML would have to beat that, to be adopted.

I think the giant major downside, is that they've written a rootkit that runs on everything, and to try to make up for that they want to make it so only sites they allow can run.

It's not really very powerful at all if nobody can use it, at that point you are better off just not bothering with it at all.

The Internet may remain, but the Web may really be dead.

replies(2): >>45677951 #>>45679303 #
10. lukan ◴[] No.45677890{3}[source]
WebRTC I use since many years and would miss it a lot. P2P is awesome.

WebUSB I don't use or would miss it right now, but .. the main potential use case is security and it sounds somewhat reasonable

"Use in multi-factor authentication

WebUSB in combination with special purpose devices and public identification registries can be used as key piece in an infrastructure scale solution to digital identity on the internet."

https://en.wikipedia.org/wiki/WebUSB

11. lukan ◴[] No.45677951{3}[source]
"It's not really very powerful at all if nobody can use it"

But people do use it, like the both of us right now?

People also use maps, do online banking, play games, start complex interactive learning environments, collaborate in real time on documents etc.

All of that works right now.

12. ngold ◴[] No.45678003[source]
Not sure if it counts but I've been enjoying librewolf. I believe just a stripped down firefox.
13. com2kid ◴[] No.45678065{3}[source]
Itch.io games and controller support.

You have sites now that let you debug microcontrollers on your browser, super cool.

Same thing but with firmware updates in the browser. Cross platform, replaced a mess of ugly broken vendor tools.

14. Kim_Bruning ◴[] No.45678076[source]
Are you saying we should make a <Unix Equivalent Of A Browser?> A large set of really simple tools that each do one thing really really really pedantically well?

This might be what's needed to break out of the current local optimum.

replies(2): >>45678831 #>>45679367 #
15. motorest ◴[] No.45678253{4}[source]
> People prefer slightly broken but accessible to better designed but inaccessible.

It's not even broken as the edge cases are addressed by ad-hoc solutions.

OP is complaining about global infrastructure not having a pristine design. At best it's a complain over a desirable trait. It's hardly a reason to pull the Jr developer card and mindlessly advocate for throwing everything out and starting over.

16. hulitu ◴[] No.45678383{3}[source]
> But do we need e.g serial port or raw USB access straight from a random website?

Yes. Regards, CIA, Mossad, FSB etc.

17. gmueckl ◴[] No.45678826{4}[source]
Every decent host OS already has a dedicated driver stack to provide game controller input to applications in a useful manner. Why the heck would you ship a reimplementation of that in JS in a website?
18. gmueckl ◴[] No.45678831[source]
I haven't thought of it that way, but that might be a solution.
replies(1): >>45679324 #
19. friendzis ◴[] No.45679014{4}[source]
> People prefer slightly broken but accessible to better designed but inaccessible.

We live in world where whatever faang adopts is de facto a standard. Accessible these days means google/gmail/facebook/instagram/tiktok works. Everything else is usually forced to follow along.

People will adopt whatever gives them access to their daily dose of doomscrolling and then complain about rather crucial part of their lives like online banking not working.

> And of course, if the new solution completely invalidates old sites, it just won't get picked up.

Old sites don't matter, only high-traffic sites riddled with dark patterns matter. That's the reality, even if it is harsh.

20. sofixa ◴[] No.45679283{3}[source]
> Even WebRTC is a bit of a stretch

You remove that, and videoconferencing (for business or person to person) has to rely on downloading an app, meaning whoever is behind the website has to release for 10-15 OSes now. Some already do, but not everyone has that budget so now there's a massive moat around it.

> But do we need e.g serial port or raw USB access straight from a random website

Being able to flash an IoT (e.g. ESP32) device from the browser is useful for a lot of people. For the "normies", there was also Stadia allowing you to flash their controller to be a generic Bluetooth/usb one on a website, using that webUSB. Without it Google would have had to release an app for multiple OSes, or more likely, would have just left the devices as paperweights. Also, you can use FIDO/U2F keys directly now, which is pretty good.

Browsers are the modern Excel, people complain that they do too much and you only need 20%. But it's a different 20% for everyone.

21. sofixa ◴[] No.45679303{3}[source]
> to try to make up for that they want to make it so only sites they allow can run

What do you mean, you can run whatever you want on localhost, and it's quite easy to host whatever you want for whoever you want too. Maybe the biggest modern added barrier to entry is that having TLS is strongly encouraged/even needed for some things, but this is an easily solved problem.

22. magackame ◴[] No.45679324{3}[source]
There was an attempt in that direction.

https://www.uzbl.org/

23. acka ◴[] No.45679367[source]
Maybe it's time to revive something like the uzbl[1] project, or start something similar.

[1] https://www.uzbl.org/