sogal said: >> Basically anything that is using webkit is going to have issues: >> https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ >> >> This means, xombrero, luakit, probably all the others that aren't >> firefox and chromium. > > Thanks for the interesting link. > The xombrero "security" features lie in the default settings and the > possibility to harden them regarding to privacy issues. > > But indeed, it seems that every single Webkit(Gtk) web browser is broken > which leaves us with very few choice.
You must face the reality: all web browsers are broken. Modern web rendering engines are too complex and too fast-moving to be securable at all. Mozilla and Google made every effort to ensure that nobody can ever be safe. Webkit1-based browsers (Luakit, Midori, surf, Vimb and Xombrero) use unmaintained engine, so nobody fixes even known issues. People who care about security should probably avoid these. AFAIK situation is similar for QTWebKit (Otter). Situation with Webkit2 (Epiphany and surf2) is a bit better. It is actively developed, and some issues get fixed. But GTK+ port - the one we can use - is undermanned and Linux-centric. It has issues. XUL (Firefox and SeaMonkey) and Blink (Chromium and Iridium) are in better shape, so there issues there are probably fewer. But there still are issues. And we are not top priority platform for either, so upstream does not care much whether things work for us or not. And these are primary targets for bad guys, so those fewer issues have higher chances of being exploited. Thuban said: > w3m already has been mentionned on the list. With some time, it becomes > very handy. > > But what about netsurf? FWIW there is no reason to believe that situation with w3m, netsurf, dillo, lynx and numerous links forks is better. These browsers support smaller subset of HTML/CSS/JS specs then major browsers do, but their developer teams are yet smaller, and their security was never studied in detail. They may be just as broken as major browsers. Who knows? There is no safe bet here. Pick whatever you want, and you'll loose eventually. Or maybe you won't, but only if you are lucky enough. Parsing HTML manually is probably the safest option, albeit ugly. You will still suffer from bugs in your HTTP(S) tool though. -- Dmitrij D. Czarkoff
