> No more third party connections. We don't really need them. Just put whatever data you want in the URL like we do with OAuth.
I'm a bit confused with this. Are you talking about deprecating CORS? How would putting information in a URL mean that you didn't need a third party request anymore?
> I don't know how to fix JavaScript, but it needs fixing. JSON is cool
I may also be misunderstanding here, but are you talking about getting rid of clientside scripting? Or moving all scripting serverside? If that's the case, do you have any plans on how to get businesses, devs, and users on board with that?
I understand that there's a sizable population on HN that would prefer if the web be a static document service and not an app platform, but even if they're right they have almost zero chance of getting anyone else to agree with them.
If that's not what you're talking about and you just hate JS, then you should look into web assembly as a compile target.
> We need a web-of-trust at the connection layer robust enough to be embeddable in our network gear.
This just screams vendor lock-in to me. It's very important that connection information and permissions be user-configurable.
It also seems at first glance like it might be problematic for security. Baking trust models into firmware means that it's a lot harder to patch them when the models need to be updated.
> no more untrusted, unsigned, unencrypted streams
I'm pretty sure Chrome is already heading in this direction. Archivists are mad about it, but I suspect HTTP will be deprecated sometime in the future.
> DNS is so f---- dumb it's painful.
Completely agreed. I would love to see DNS put out of its misery.
> I'm a bit confused with this. Are you talking about deprecating CORS? How would putting information in a URL mean that you didn't need a third party request anymore?
I'm saying there is no real need, technically, to have third party at _all_. If you want an image you can host an image or you can link to it. Same with fonts. I have yet to see a CORS request that couldn't have been done with a user clicking on a link and having a page load. All of this stuff is bleeding data to third parties. And again, I'm not blaming third parties making money within the system we have. If it's legal it's fine with me, but when we have governments around the world starting to figure out how bad it is they're going to try to legislate this problem away and it both wont work and it will also quadruple the costs of doing anything.
> This just screams vendor lock-in to me.
Don't worry, I'm designing it with this risk in mind.
> Baking trust models into firmware
As long as the firmware is capable of software update, it should be fine. ASIC-y type of gear may need to push the trust check to other sides of the pipe.
> I understand that there's a sizable population on HN that would prefer if the web be a static document service and not an app platform, but even if they're right they have almost zero chance of getting anyone else to agree with them.
I think it's tricky. We obviously need client side code in some contexts, but I think something could be designed such that things like Reddit wouldn't require arbitrary code execution. As for JS specifically, I don't love the syntax, but it isn't the worst in the world. But there is a long, long, long list of things that need to be removed from it to make it more secure.
I think web assembly is a mistake. If we turn our browsers into operating systems we're going to get all the problems OSes have. Side channel attacks are easier, protected data in JS enclosures is harder, etc.
That's all I'm going to say for now, I try not to talk about my projects before they're kinda functional because before you figure out all the finicky details you can come off sounding like an idiot to someone else that has a more closeup view to one part of it. Take WebAssembly, for example, I haven't closely poured over it and here I am saying that its a mistake. But everything is getting so complicated so quickly its impossible to keep up, so I have to cut things somewhere. This is another problem I have with the modern stack. We keep piling things onto it to support all these crazy use cases, but then we can't stay ahead of all the potential ways people can abuse it.
I'm a bit confused with this. Are you talking about deprecating CORS? How would putting information in a URL mean that you didn't need a third party request anymore?
> I don't know how to fix JavaScript, but it needs fixing. JSON is cool
I may also be misunderstanding here, but are you talking about getting rid of clientside scripting? Or moving all scripting serverside? If that's the case, do you have any plans on how to get businesses, devs, and users on board with that?
I understand that there's a sizable population on HN that would prefer if the web be a static document service and not an app platform, but even if they're right they have almost zero chance of getting anyone else to agree with them.
If that's not what you're talking about and you just hate JS, then you should look into web assembly as a compile target.
> We need a web-of-trust at the connection layer robust enough to be embeddable in our network gear.
This just screams vendor lock-in to me. It's very important that connection information and permissions be user-configurable.
It also seems at first glance like it might be problematic for security. Baking trust models into firmware means that it's a lot harder to patch them when the models need to be updated.
> no more untrusted, unsigned, unencrypted streams
I'm pretty sure Chrome is already heading in this direction. Archivists are mad about it, but I suspect HTTP will be deprecated sometime in the future.
> DNS is so f---- dumb it's painful.
Completely agreed. I would love to see DNS put out of its misery.