
GeckoView for Android - selvan
https://mozilla.github.io/geckoview/
======
poutine
GeckoView is awesome. We switched to using it with TelemetryTV (a next gen
digital signage platform) and it's made our Android app a lot more compatible.

The core of our player application is a Progressive Web Application that runs
everywhere and just needs a native container like Electron or a Webview to
run. Our customers run on whatever hardware they want(Windows, Mac, ChromeOS,
etc)and Android is a really compelling platform since there's a ton of
inexpensive AndroidTV devices out there but quality is all over the place.

If you depended on the system provided Webview on AndroidTV you may get
anything from version 50 to 80 of Chrome due to fragmentation of the platform
and poor update habits of some manufacturers. Our app uses features like CSS
grid and doesn't run on a large fraction of Webviews out there in the wild.

The system Webview also doesn't provide much control at all for customizing
the browser engine. GeckoView lets you do pretty much anything allow us to
support important features we provide with our Electron clients.

You also don't need to worry about a browser update causing trouble as you
control when you update the browser engine.

It's a shame that iOS doesn't have something similar because it's a really
horrible platform due to Apples Webview for use cases like ours.

~~~
preston_mil
>You also don't need to worry about a browser update causing trouble as you
control when you update the browser engine.

This concerns me. Under the current google model, as long as you have a play
store compatible device, you get chrome webview updates through the play
store, even if the device fw is eol.

If an app developer doesn't update their app, then you can have potentially
vulnerable version of geckoview lying around. I hope a decoupling/webview-
style update mechanism is eventually implemented, although I don't know how
feasible that is (i'm an amateur android dev)

That said, I really do like the project. And, I use firefox as my personal
browser, both on principle and because it's quality software.

~~~
poutine
On many real world AndroidTV devices (I've tested a couple dozen) you
definitely do NOT get Chrome updated properly even though it's supposed to.

Android is the Wild West, with all the good and bad that follows.
Manufacturers are often not implementing things properly. Problem is that
these devices are all over Amazon and people buy them and expect them to work.
We try to steer people to good quality devices such as the Nvidia Shield but
you can only do so much.

Keep in mind that GeckoView may not be used to build a browser. Rather it's
often an engine used to drive an application built with web technologies. So a
developers requirements for updates are different than an interactive browser
of arbitrary web content.

The story is the same on the desktop with Electron. When you deploy an
electron app the browser underneath it is locked in conjunction with the
version of Electron.

It's still up to the app developer to be responsible and follow issues and
update as required. But that's a lot less often than when you have a browser
of arbitrary web content.

~~~
preston_mil
>On many real world AndroidTV devices

i gathered from your comment about large amts of devices still on 50 D:

I know it won't be used for external web content, but all it takes is an
escape or malicious frame/xss, and boom, mass RCE.

I don't like electron for the same reason.

I'm not saying that it's a wasteland out there, it's just one element that
concerns me, is all.

~~~
OkGoDoIt
Still, at least this provides another option. Lesser of two evils and all
that. Maybe if android was less of a mess this would be a less desirable
option, but frankly I’m pretty happy there’s an alternate option regardless of
whether it’s better or worse

------
alexlarsson
As the original author of GtkMozEmbed I'd like to say that this is way too
little, way to late. Mozilla has historically been very much against anyone
trying to use the engine in anything other than the firefox app.

This is completely up to them of course, and it probably let them move firefox
forward faster, due to not having to care about APIs. However, it also means
that chrome completely took over the entire market with electron and similar
things.

~~~
GeneralMaximus
I've always wondered why Mozilla doesn't make it easier to embed Gecko
everywhere it possibly can. If Electron was built with Gecko, it would go a
huge way towards preventing Chrome from becoming the de-facto way of accessing
the Web.

As you said, this is too little, too late. I'm a Firefox user, but Chrome has
pretty much won the browser wars. The only thing preventing it from achieving
complete market dominance is the existence of Mobile Safari.

~~~
roca
Supporting embedding well is a lot of work, both to create the APIs and then
deal with their constraints as the browser evolves. Mozilla has always been
under-resourced compared to the competition (IE, then Chrome) and taking
people off improving Firefox/Gecko to work on embedding never made the cut. I
don't really regret those decisions.

What made it extra unappealing for Mozilla was that we knew the Firefox/Gecko
architecture needed lots of work that would destabilize an embedding API. Not
much point in supporting an API that assumes single-process while you're
moving to multi-process, or that exposes XUL which you know is a dead end, or
that isn't compatible with off-main-thread rendering or GPU rendering, etc.
Things are much better now that a lot of that debt has been paid off.

~~~
asiachick
There's nothing stopping a 3rd party from making an Gecko version of Firefox.
Electron is not run by Google nor the Chromium team. It's run by github (which
only recently became Microsoft)

That said, I'm not sure what the point is. I believe (but could be wrong) that
Chromium has more features that Gecko doesn't? So if you're choosing one over
the other I'm only guessing most people would choose Electron

~~~
sanxiyn
"Electron for Gecko" was in fact done. See Positron discussion below.

------
londons_explore
I hope they have a _very_ good story around patches and updates...

Web browsers need patching pretty much every week, and having every app
developer needing to re-release their app every time isn't practical. The
alternative is a world where my phone can be compromised because an ad
rendered in an app using a 3 week old build of gecko had a browser exploit in.

~~~
tehlike
This. Webview is a separate app on Android phones for quite a while now(and
also I think chrome mobile is another/newer webview provider), which allows
for much faster updates. As much as app developers hate not knowing what
version of library is actually running in their apps, it is a net win for the
user.

~~~
folli
I didn't know about using chrome mobile as webview provider. What are the
dis-/advantages of using it? Any experience?

~~~
matharmin
Advantage is that most of the time, you have a fairly new browser engine
available for your app, that is not tied to the OS version (especially
important on Android). Also doesn't require embedding an 50MB engine
(Crosswalk) in your app.

Disadvantage is that as an app developer you're not guaranteed to have any
specific version available. Some devices never upgrade the pre-installed
version automatically. The user is also able to switch between the Chrome
webview and an OS webview on some devices (in developer settings, so it's not
common). You can add checks in your app and direct the user to the update
links, but requires quite a bit of work to do well.

------
soapdog
Mozilla offers many Android components for those building browsers:
[https://mozac.org/components/](https://mozac.org/components/)

~~~
dindresto
Is there a similar set of components for desktop applications? I.e., as an
alternative to electron.

~~~
rapsey
Would there be any point other than being from mozilla?

~~~
yjftsjthsd-h
Well, "from Mozilla" is a subset of the larger and more valuable "not
Blink"/"not from Google", which is handy if you're worried about an adtech
company owning the entire web ecosystem.

------
AbuAssar
I'm looking forward to be able to embed GeckoView in my Ionic apps to support
older android versions, as a replacement for the now defunct crosswalk
project.

------
anticensor
The billion dollar (figuratively) question: When will GeckoView for jailbroken
iOS come?

~~~
kbrosnan
GeckoView is fairly tightly focused on Java/Kotlin API. While work in the past
allowed Gecko to run on iOS [1] this was not maintained.

[1] [https://imgur.com/r8Qti](https://imgur.com/r8Qti) and
[https://bugzilla.mozilla.org/show_bug.cgi?id=1163827](https://bugzilla.mozilla.org/show_bug.cgi?id=1163827)

------
OJFord
Does this mean a user might open a link and get either WebView or GeckoView,
according to what the application developer chose, or that the user can choose
which _all_ in-app links open in (if *View enabled in that app, etc.)?

~~~
tehlike
App developer chooses either this or that.

However, I bet noone would choose gecko because it adds to the APK size.

~~~
OJFord
Hm I thought that's what it was, a shame. IMO 'WebViewHandler's should be
distributed with browsers, and then when you choose a default browser you've
also chosen a default 'WebViewHandler'.

~~~
sciurus
I'm not 100% sure, but I think that actually is how it works. I have Firefox
Preview (which is built on top of GeckoView) installed as my default Android
browser, so I believe webviews from other apps are rendered using Firefox's
engine instead of Chrome's.

(Disclaimer: I work for Mozilla but not on this)

~~~
KwanEsq
WebViews can't be rendered by anything but system WebView or Chrome WebView,
but apps can use something called a Custom Tab instead, which can be provided
by the user's default browser, and which Firefox does.

------
thefounder
Anyone knows if you can bypass/disable CORS restrictions like in Electron ?

~~~
eamsen
Relevant question with answers:
[https://stackoverflow.com/questions/61375629/allow-cross-
ori...](https://stackoverflow.com/questions/61375629/allow-cross-origin-
request-in-geckoview-for-android)

------
amelius
Is this a "shared library" in the sense that when I have two applications
using it, it is only installed once?

~~~
eamsen
No, there is no support for third-party shared libraries on Android yet.

------
ufo
Out of curiosity... does anyone know how big this library is in terms of
installation size?

~~~
huksley
I was also interested in this. Not sure how it will look in final APK build,
but AAR is 28Mb
[https://maven.mozilla.org/maven2/?prefix=maven2/org/mozilla/...](https://maven.mozilla.org/maven2/?prefix=maven2/org/mozilla/geckoview/geckoview-
arm64-v8a/64.0.20181204213330/)

------
akerro
Why not servoView?

~~~
cosmojg
Probably because Servo isn't anywhere close to ready yet, unfortunately. It's
really cool tech, and I'm dying to use it.

~~~
bzb3
I have a gut feeling that by the time servo is ready, Firefox will have died.
That, or servo will never be ready.

~~~
noisem4ker
Servo may not ever be ready by design, as it is a research project and not
meant to stand on its own. The way it's useful is that parts of it
occasionally get integrated into regular Gecko as they mature.

------
fabiospampinato
> Like Firefox, GeckoView offers excellent support for modern Web standards.

I guess it depends on one's definition of "excellent", but I'm still waiting
on ES2018's regex lookbehind assertions to be implemented.

~~~
jraph
What about support for CSS list-style-type: '-'? Happy to discover that it is
finally supported since Chrome 79, released on the December 10, 2019.
Supported on Firefox since version 39, released on July 2, 2015.

And what about Flex-box's safe value for the justify-content property,
allowing to justify (center) an element, but still be sure that the left side
of the content will not be hidden if the parent container is too small? Right,
supported on Firefox since version 63 released on October 23, 2018 and still
not supported on Chrome (and to add insult to injury, safe is recognized, it
just does nothing, which is worse than really not supporting the feature).

I didn't look for these missing features on purpose, I have been annoyed by
them recently or less recently. So as for Chrome's excellent support for
modern Web standard, I guess it depends on one's definition of "excellent".

Or more accurately, you can find lacking support for some features of the Web
standard in any browser engine. :-)

~~~
fabiospampinato
I do agree with you, but also I don't think that when judging whether
Firefox's support of web standards is "excellent" it matters one bit what
other browsers are doing. Like excellence isn't a relative measure here.

~~~
jraph
Oh, well, it literally depends on what you pick as a definition for
"excellent" in a way I hadn't considered then :-)

Food for thought however: what is implemented elsewhere may be an indicator of
was level of excellence is achievable.

~~~
fabiospampinato
Yeah, that's why I prefaced my comment with: 'I guess it depends on one's
definition of "excellent"'.

What others can do is an indication of what is achievable only if what they do
is optimal, like let's say for example that a monkey learns 10 words in a
planet full of comparable monkeys and things less capable than that, does that
environment make the monkey excellent in general as far as learning words
goes? I don't think so. I would argue excellence in this sense is to be
measured in the scale of what's possible, not as a comparative measure that
changes depending on the environment. In this case in particular I wouldn't
consider lacking features spec'ed 2 years ago excellence, your mileage may
vary.

------
sdlkfgj
Mozilla is going on the completely opposite direction of what their supporters
(and previous contributors) want them to go.

Yes, they provide mobile browsers, plus a browser with "private mode" (focus)
and now this. But on every single one of them, you have the same philosophy of
Google Chrome (tm) adopted, of treating the user as a dumb gullible person
that should not have access to important settings.

Why would they waste so much effort, and clone all the things people should
avoid from Google Chrome?!

For example, any new tech introduced that can be used for browser
fingerprinting and user tracking (e.g. canvas, webgl, webrtc, etc) is enabled
to every single site by default, just like chrome.

Some you can install extensions (you can't on this and on mozilla focus), some
you can fiddle with user-UNfriendly settings in about:config (desktop and full
featured android, not focus or this) where you have to guess setting names and
cryptic values (what does 2 means in a setting named somethingEnabled?!)

Only on mozilla desktop you can standardize sane settings by importing a
user.js file from the dozen of crowdsourced efforts (i recommend the most
complete one from
[https://github.com/pyllyukko/user.js/](https://github.com/pyllyukko/user.js/)
). think about this, there's more then a dozen community led effort to provide
sane defaults, not hardcore user optimized settings, sane defaults, for a
project that should be open source and the users could have been able to send
in patches to have sane defaults in the first place! now, why would those sane
defaults everyone want would be denied in the main branch? because mozilla do
not represent the users for a long time!

Mozilla is now a corporation that looks for Advertisement companies grants.

~~~
eamsen
> For example, any new tech introduced that can be used for browser
> fingerprinting and user tracking (e.g. canvas, webgl, webrtc, etc) is
> enabled to every single site by default, just like chrome.

GeckoView exposes a wide range of privacy (including anti-tracking and anti-
fingerprinting) features in a (hopefully) comprehensive API, see
[https://mozilla.github.io/geckoview/javadoc/mozilla-
central/...](https://mozilla.github.io/geckoview/javadoc/mozilla-
central/org/mozilla/geckoview/ContentBlocking.html), and continues expanding
its privacy settings.

> Some you can install extensions (you can't on this and on mozilla focus)...

GeckoView also exposes a WebExtension API, see
[https://mozilla.github.io/geckoview/javadoc/mozilla-
central/...](https://mozilla.github.io/geckoview/javadoc/mozilla-
central/org/mozilla/geckoview/WebExtension.html), and continues to expand
extension support.

> ...some you can fiddle with user-UNfriendly settings in about:config...

You seem to have answered one of your own questions here.

I also have the impression that you might have not commented on the GeckoView
library, but on some range of Mozilla products (you named Focus).

~~~
q92z8oeif
> GeckoView exposes a wide range of privacy

that's is a fallacy and you know it!

There are ZERO settings exposed to the end user.

Those settings are exposed to the App embedding geckoviewer. In other words,
the privacy settings are in the hands of the actor who benefit from
Advertising by tracking the user!

> GeckoView also exposes a WebExtension API

again to the app.

~~~
eamsen
> There are ZERO settings exposed to the end user.

This thread is discussing GeckoView, which exposes extensive privacy settings.

There is a (hopefully growing) amount of apps based on GeckoView, which will
make use and/or expose different variations of GeckoView settings to the user,
depending on the purpose and target audience of the app.

You might disagree, but, for example, I consider the level of detail in
privacy settings provided by Fenix (Nightly) to be a good balance between user
control and comprehensibility.

> > GeckoView also exposes a WebExtension API > again to the app.

Again, taking Fenix (Nightly) as an example, the GeckoView WebExtension API is
used to provide a growing selection of add-ons, many of which are aimed at the
privacy-conscious user, including uBlock Origin, HTTPS Everywhere, NoScript
and Privacy Badger.

