W3C is not the only organization working on standardization. Any opinion on WHATWG? Is it a little better?
On Sun, Jun 11, 2017 at 9:19 AM, Hiltjo Posthuma <hil...@codemadness.org> wrote: > On Sat, Jun 10, 2017 at 01:30:12PM -0700, Louis Santillan wrote: >> https://youtu.be/1uflg7LDmzI?t=5m35s >> >> James Mickens calls it Project Atlantis. > > I could not find any Project Atlantis code, do you know where to find it? > >> Make the web/content developers responsible for their own rendering >> and content parsing. > > No, this is exactly what you don't want. Current accessibility is already > terrible. I'd like it if HTML goes back to a document-based model like it was > created instead of a "pixel-precise" rendering model. The W3C should be more > strict when defining these standards instead of adding random battery-reading > APIs[0]! Currently using well-formed simple HTML or (the "old") Gopher it is > possible to display (or listen!) to the document in any way. > > In relation to HTML: I think ideally Javascript and other custom client-side > execution should be completely removed, but some semantic-context should > be added to the current HTML. > > There are some useful things where Javascript is (ab)used right now, because > alternatives are missing or inconsistent: > > - Implementations of more native missing/inconsistent control types: > datepicker, > colorpicker, etc. > - Client-side form validation to indicate the user: should be native in HTML. > (similar to <input pattern="" />). > - Sending form data in a "dynamic" way (using XMLHttpRequest). > - etc... > > These can probably just be extended as tags and attributes. > > I'd also like if more concern is taking to privacy and browser fingerprinting. > Sidenote: this is what happens when you let advertising agencies > (Google, Facebook) join the W3C. > The current model leaks too much data to untrusted parties and allows already > too > much control: > > - OS / kernel version, browser and browser version, CPU architecture. > - Screen resolution (by abusing CSS media selectors or JS readout). > - Client timestamp (header field) in GZIP compressed data. > - Document caching information. > - JS: exact geographic location. > - JS: reading your PC battery status[0]. > - JS: CPU: read amount of cores, etc. [1] > - JS: CPU timing data, see JS hammer attack for a spooky example[2]. > - JS: WebGL GPU fingerprinting / GPU kernel exploits. > - JS: WebGL bitcoin mining by abusing compute shaders \o/ [3]. > - ... the list goes on .... > > W3C is also already "succumbing" (see editors list) to adding DRM[4] to your > browser, wake up sheeple! > >> Narrow & simplify the scope of what a browser needs to be (shouldn't >> duplicate all the functions of an OS). His Deny First Same Origin >> Policy is also a worthy change to current standards. This coupled >> with some of the concepts from Seif [0] (though not the current code >> base, I disagree with the choice of nodejs & Qt), could make web >> browsing . . . better, safer, more performant. >> >> Interesting things to consider with some of the suckless ethos. >> >> [0] https://youtu.be/0w6tZEbrHIY >> > > Adding abstractions is not the solution in my opinion. > > It doesn't seem to simplify the scope. The rendering part is "just" given > as responsibility to the developers and a RPC layer is added, but at this > point you are already screwed in various ways. > > Also many of the (current) layers he discusses in the video are still > partially > implemented or in draft, but in use today: IndexDB, HTML5 storage, > CSS3 / CSS animations, Websockets, WebRTC. These layers should not be used > anyway in a document-based model. It's impossible to change webdevelopers > mind-set, but it is currently possible to write simple webpages most of > the time. > > Coming back to the real practical world: until then I try to keep my > (personal) > HTML pages simple[5] and use as little Javascript as possible (no jQuery!). > > > References: > [0] - https://www.w3.org/TR/battery-status/ > "4. Security and privacy considerations" > "The user agent SHOULD not expose high precision readouts of battery > status information as that can introduce a new fingerprinting vector." > Are you FUCKING kidding me. ANY readout is a fingerprint vector. > [1] - > https://developer.mozilla.org/en-US/docs/Web/API/NavigatorConcurrentHardware/hardwareConcurrency > [2] - > https://motherboard.vice.com/en_us/article/rowhammerjs-is-the-most-ingenious-hack-ive-ever-seen > [3] - https://github.com/derjanb/hamiyoca > [4] - https://www.w3.org/TR/2017/PR-encrypted-media-20170316/ > "Editors: > David Dorwin, >>Google Inc.<< > Jerry Smith, >>Microsoft Corporation<< > Mark Watson, >>Netflix Inc.<< > Adrian Bateman, >>Microsoft Corporation<< (Until May 2014)" > [5] - http://idlewords.com/talks/website_obesity.htm > > -- > Kind regards, > Hiltjo >
