> Alright, let's take a step back. First, I am not a mobile developer.
I think you're whichever kind of developer your current position requires. You've been talking about Android non-stop throughout this conversation, and conversations you've had with others on this website [1]. When you were lambasting me about my perceived knowledge of mobile development you were touting your Android knowledge, and taunting me about whether or not I've done anything outside the web. Now that I've proven Android is actually one of the primary tools Google uses to promote Chrome (and you admitted you don't know much about iOS) you want to distance yourself from mobile development altogether.
> Other examples include whatever iOS does (which I don't know), containers (docker and the likes), VMs, and everything in-between (like what snap or flatpak use).
We're not discussing theoretical means with which you could sandbox an application, we're talking about how apps are actually used in reality. If you need to fire up a virtual machine every time you use your favorite desktop apps, then you're only proving my point that they're not inherently very secure. Not to mention, the average user probably has no idea what Docker or a virtual machine even is. Like I said in my original response, lots of things are possible in theory, but in practice web browsers are much better at sandboxing apps than desktop operating systems (and even better than mobile operating systems). And by the way, you can run a browser inside of a vm too, so if anything the technologies you're advocating for bolster the security of web apps rather than compete with them.
> If anything, modern browsers are so complex (and getting worse with time) that the attack surface is big
Ironically, a lot of that complexity arises from the web's insistence on security. V8 is complex because it has so many safeguards in place to sandbox JavaScript, and that sandboxing is taken very seriously. There's a reward anywhere from 10,000 to 150,000 USD if you can escape the sandbox [2][3]. Browsers are inherently more secure than desktop apps because they limit access to the underlying platform. Someone developing malware as a web app has to first escape the browser sandbox, just to gain the privileges that a desktop app has natively. If it helps, you can think of every desktop app as a webapp which has already escaped the browser.
> Moreover, Web UIs bring their own class of issues that don't really apply to native apps.
No, web developers have just spent so much time thinking about security, that native app developers haven't even realized these security issues are relevant yet. It took years for Apple and Google to come to the brilliant conclusion that they should notify users when an app is reading from the clipboard, something which at the time was considered just a browser "class of issue". Maybe in 2034 they'll figure this out for desktop apps.
> But CORS is really a browser thing, I don't think it really makes sense to compare it to anything outside the "webview world".
It makes sense to compare it to things outside of the browser because it protects users and servers. You seem to want to disqualify any point I make that you can't disprove. If you don't think web technology is comparable to anything outside the browser, then what are we even arguing about? This whole discussion has been about comparing the security of web apps to non-web apps.
> If security is your concern (and you seem to insist that it is), then webapps are really not better than the alternatives. Actually, the Apple Store and the Play Store (to give an example in the mobile world) allow Apple and Google to somehow monitor the apps that users install, which is most certainly more secure than a model where anyone can load any webapp from any website.
Security is not some new thing I'm insisting on, it's been my whole point from the very beginning. You're just finally deciding to engage with me about it, instead of derailing the conversation constantly. Apple and Google have to monitor which apps make it to their app stores, BECAUSE apps are so much more prone to security problems. You once again have it completely backwards. No one has to gatekeep websites because browsers are so much better at sandboxing applications. And allow me to remind you that you admitted you have no idea how iOS sandboxing works, so you can't really be confident about this stance even if it did make sense.
And now you're arguing in favor of the app store duopoly which contradicts your point about software diversity. You can't have it both ways. You're trying to hold on to two contradictory points at the same time: you don't like the supposed lack of browser diversity (which is why you seem to detest Chromium), but you like the supposed security guarantees of the mobile app store duopoly, which is even less diverse.
> You can't have it both ways. You're trying to hold on to two contradictory points at the same time: you don't like the supposed lack of browser diversity (which is why you seem to detest Chromium), but you like the supposed security guarantees of the mobile app store duopoly, which is even less diverse.
Ok I get it.
Let me rephrase it just to make it clear: It is true that I don't like the lack of diversity (that would come from everything being webtech on top of Chromium), and it is also true that I like the security that comes from a managed app store. I do! I can have it both ways! Isn't that marvelous?
If you can't understand how this is possible, I think we can stop here. We won't get anywhere if you can't understand what I write.
You've completely abandoned any attempt to argue the point about the security of web apps vs non-web apps, which was the original point of this discussion, so now let me address all the tangents you like going on to deflect. You're an expert at cherry picking which arguments you'd like to reply to, to avoid tackling the main issue at hand.
> It is true that I don't like the lack of diversity (that would come from everything being webtech on top of Chromium), and it is also true that I like the security that comes from a managed app store.
You've said previously: "My point is that webapps move everything into the browser, going towards a world where something like ChromeOS is the only valid way to use a computer. I want to choose my OS". [1]
So you think the best way to increase OS diversity is to get developers to submit their apps to proprietary app stores that only run on their own respective operating systems, instead of using open web standards that work on every operating system? How does that make sense?
> I do! I can have it both ways! Isn't that marvelous?
No! You can't! Not if you value logical consistency.
> If you can't understand how this is possible, I think we can stop here. We won't get anywhere if you can't understand what I write.
I don't think you comprehend what you're writing, or rather, you're not willing to admit that what you're writing is incomprehensible. Saying "my argument makes sense, you just can't understand it" is just you being petulant. You want to "stop here" because you've argued yourself into an illogical corner.
> Saying "my argument makes sense, you just can't understand it" is just you being petulant.
I did not say that. I said that my preferences are consistent. Security and diversity are orthogonal concepts. I can say: "I want as much security as possible AND as much diversity as possible". It is not an argument, it is a preference.
You come and say: "Aha, I got you! You cannot want both security and diversity! You have to want one or the other, not both, because I say so! You just lost the debate, you dumb ass".
First of all, I've been saying from the very beginning that your stance implies both less security AND less diversity. But I knew you would grasp onto the security part like a lifeline, because you've run out of ways to derail the conversation, which is why I clarified in my previous comment. You ignored my clarification, and once again decided to argue with a straw man. I've never seen so many bad faith straw man arguments in my life. Forget the security aspect of it since you clearly can't debate that, and just focus on the diversity, and you're STILL wrong.
As you like to say when you're clarifying, "let's take a step back here". I'll just repeat my last comment, and hopefully you won't evade it like you always do:
You've said previously: "My point is that webapps move everything into the browser, going towards a world where something like ChromeOS is the only valid way to use a computer. I want to choose my OS". [1]
So you think the best way to increase OS diversity is to get developers to submit their apps to proprietary app stores that only run on their own respective operating systems, instead of using open web standards that work on every operating system? How does that make sense?
Do you get it yet? You're claiming you want OS diversity, but you're advocating for the solution that results in LESS OS diversity, that's why you're contradicting yourself, and that's why your position is logically inconsistent. You absolutely know this, which is why you're dodging every attempt to actually debate it. And I know you know this, because you purposely omitted the first sentence of my paragraph when you quoted it, which was [2]: "And now you're arguing in favor of the app store duopoly which contradicts your point about software diversity." That part didn't fit your narrative, which is why you omitted it. You're better at evasion, and rhetorical trickery than you are at actually discussing technical topics. If you had said instead: "I admit my position implies less OS diversity, but in this case I'm willing to make that trade off in exchange for better security guarantees", then we could move on to the security question (and you'd lose that debate too).
You can admit that one of those pesky web developers you're so fond of condescending to actually has a good point, it won't hurt.
> So you think the best way to increase OS diversity is to get developers to submit their apps to proprietary app stores that only run on their own respective operating systems.
No, I don't. I think that having different tools, more or less specialized for particular platforms, is better than using webtech everywhere. My reason being that I tend to hate webtech and all it represents to me: I don't like unmanaged language package managers like npm and how they allow devs to have no clue about their dependencies. I don't like Javascript. I don't like having to run a browser to access Discord, or alternatively to have a fake Desktop app that is essentially a hardcoded one-tab browser. I don't like to run complicated webapps in a tab that can freeze my whole browser. I don't like that if my browser crashes, all my webapps stop. I find that pushing for WebAssembly to run everything in the browser is completely overkill given that we already have tons of ways to run stuff on different OSes. I don't like how web people tend to not know anything not web (including native/non-native-but-not-web mobile apps, native/non-native-but-still-not-web Desktop apps, mobile OSes like iOS/Android/Linux-based-but-not-ubuntu, Desktop OSes like Windows/macOS/Linux/-BSD, embedded OSes like OpenWRT/-BSD) but still claim that webtech is better.
I like C when it makes sense, I find merit to C++ in many situations, I think Rust is interesting (except for the language package management which seems to come straight out of the webtech hell). I like Java/JVM and its evolution in the last years (no, it's not just an interpreter and web applets since the beginning of the century, but too many web people missed the memo), I find that Android has done a lot of interesting stuff with JIT and AOT, I think that GraalVM is really promising. I love Scala and Kotlin, and the new Jetpack Compose way for UIs (coming to Desktop apparently). I wish I could spend more time on Swift and discover SwiftUI, and I had fun learning Flutter and Dart (though it's still has the fundamental issues of cross-platform frameworks IMO). I don't know anything about .NET, but it doesn't seem bad. I like making custom Linux with fun tools (buildroot, Yocto, pmbootstrap) or learning how relatively mainstream distributions work. I like running stuff on -BSD (not in a browser, actually on the system). I like how Linux distributions approach their package management.
I am a big fan of open protocols, which mean that I can run my TUI IRC client (written in C) on my OpenBSD, my favorite email client (written in Go) on my Alpine Linux, and a whole bunch of stuff like git/gpg/ssh/podman/pass in CLI. I can even enjoy tools written in niche languages like Hare!
Those things I like, TO ME, represent diversity, and allow me to choose the tools that are more ergonomic for me, and even to contribute to them. Webtech, TO ME, represents those shitty Slack/Discord/Teams/NameYourCloud proprietary apps (and those are the good ones), written by people who want a one-size-fits-all solution so that they can be more productive by knowing ONE tech and making ONE mediocre app that will run badly on all those systems they never cared to study, governed by rules like "no need to optimize for memory, memory is cheap ahahaha!!!1!". All that forcing me to run full-blown apps (and not websites anymore) in a damn browser, in a world where Safari is Apple's way of refusing webtech for as long as they can, Firefox is a joke (which I use, don't get me wrong) and everything else non-Chrome is about customizing Chromium and pretending that they own their codebase.
PWAs are a promise to move that shitty world out of the browser and into mobile devices (because ElectronJS already succeeded in moving that shitty world out of the browser and into the Desktop... by duplicating a browser I did not choose, and in my back). All of that is transforming my Desktop OS and my mobile OS into basically a big browser that I hate (Chromium) running bad apps written with webtech that I hate.
Native Android and iOS apps are not perfect of course. But they are not webtech. And at this point I'm holding to anything that is not damn webtech (or worse: "AI" bullshit).
Go on, tell me why I should not feel the way I feel or, even better, prove it to me, with cross-references to whatever you find (I still won't click on your links, though, I really don't give a shit).
> then we could move on to the security question (and you'd lose that debate too).
I am not here to win (is there a price for the winner?). I would genuinely be very happy if you taught me something (just a small thing) about why browsers are fundamentally better in terms of security than any other kind of sandbox I can imagine. But something constructive, like why it is that whatever is used to sandbox processes in a browser cannot be used to sandbox processes outside the browser. Or why granular access control works in the browser and fundamentally cannot be used outside of it.
But if it is to tell me that browsers are better because smart people spend a lot of time working on V8, or that web people invented access control last year, please don't lose your time.*
> I don't like how web people tend to not know anything not web
This is the reason why your responses have been so arrogant. This is why you assumed I lacked knowledge about sandboxing before we'd even had a chance to discuss the topic in any sort of depth. You have this preconceived notion that all web developers are myopic and can't see anything outside of the web, and you've projected this stereotype onto me as if you're omniscient. If you truly do enjoy engaging in good faith arguments, and learning from other commenters, then you wouldn't start with the pompous assumption that the person you're talking to is ignorant.
> I don't like unmanaged language package managers like npm and how they allow devs to have no clue about their dependencies. I don't like Javascript.
Finally, you just came out and said it. You have a deep seated visceral hatred of JavaScript and anything even tangentially related to it. This is why you've been trying to bait me into talking about Electron, to the point of literally fabricating statements (at one point you claimed I was talking about VSCode). This is your pet issue, and your clamoring for a chance to talk about it.
I get it, you don't like JS. It's a popular opinion amongst snobbish developers who like to promote this culture of contempt that pervades the software development world [1].
The problem is...we're not talking about the pros and cons of JavaScript as a language, or npm as a package manger. I have feelings about that as well (which I may or may not share), but my primary conjecture has always been that software is safer when run in the browser (especially on desktop operating systems). That's why I originally responded to your comment about Figma and Photoshop, and provided my own anecdote about my experiences using Adobe Photoshop on my desktop computer.
> Those things I like, TO ME, represent diversity, and allow me to choose the tools that are more ergonomic for me, and even to contribute to them.
The preceding paragraphs read like a CV with every technology you've ever interacted with, and many of them are very interesting, but all of that is completely besides the point. I'm going to quote you again here, you said: "My point is that webapps move everything into the browser, going towards a world where something like ChromeOS is the only valid way to use a computer. I want to choose my OS".
We're not talking about the diversity of tools used to build applications, we're talking about the diversity of operating systems used to run graphical user interface apps. You absolutely refuse to stay on topic. Submitting apps to proprietary app stores that only run on their respective operating systems is not the best way to promote operating system diversity. If I build an app for the browser it'll run on every operating system (since they all ship with a web browser), that's just an objective fact.
> is there a price for the winner
You should be a comedian. I'm here to talk about technology.
> I would genuinely be very happy if you taught me something (just a small thing) about why browsers are fundamentally better in terms of security than any other kind of sandbox I can imagine.
We're not talking about what you can fundamentally imagine, we're talking about how software is used in reality.
> why it is that whatever is used to sandbox processes in a browser cannot be used to sandbox processes outside the browser. Or why granular access control works in the browser and fundamentally cannot be used outside of it.
I hate to keep repeating myself but, we're not discussing theoretical means with which you could sandbox an application, we're talking about how apps are actually used in practice. You seem to want to discuss how desktop apps could theoretically be just as safe as web apps, but I'm more interested in reality than theory. I've given you several examples of security features which are present in the browser, and have no proper analog built in to desktop operating systems.
Here's a non-exhaustive list of things that make webapps more secure than desktop apps (many of these points haven already been mentioned, but you keep ignoring them):
- Webapps can't read from the clipboard without user confirmation.
- Webapps can't make themselves truly persistent the way a desktop app can.
- Webapps can't record your keystrokes when their tab isn't active, whereas keyloggers are one of the most pervasive forms of desktop malware. On a Mac for instance, I normally have to use Reikey to mitigate this threat.
- Webapps can't forge the origin and user-agent HTTP headers to impersonate legitimate clients.
- Webapps can't read the response of an HTTP request to a third party origin unless the site allows it via a CORS header.
- Webapps can't read a single file from your filesystem unless you explicitly allow it.
- Webapps can't see which SSIDs your computer is connected to in order to pinpoint your location by matching them against known wifi networks.
Could some of these protections be implemented on the desktop in the future? Sure, and if they do I'd be happy to revisit this discussion in a few years. But my arguments are firmly rooted in reality, not speculation about future enhancements. And please don't bring up onerous security measures like virtual machines. First because that only proves that desktop apps are insecure by default, second because most users are likely unaware that such measures even exist, and third because those measures can be applied to a browser as well, so they only augment the security of webapps if anything.
I think you're whichever kind of developer your current position requires. You've been talking about Android non-stop throughout this conversation, and conversations you've had with others on this website [1]. When you were lambasting me about my perceived knowledge of mobile development you were touting your Android knowledge, and taunting me about whether or not I've done anything outside the web. Now that I've proven Android is actually one of the primary tools Google uses to promote Chrome (and you admitted you don't know much about iOS) you want to distance yourself from mobile development altogether.
> Other examples include whatever iOS does (which I don't know), containers (docker and the likes), VMs, and everything in-between (like what snap or flatpak use).
We're not discussing theoretical means with which you could sandbox an application, we're talking about how apps are actually used in reality. If you need to fire up a virtual machine every time you use your favorite desktop apps, then you're only proving my point that they're not inherently very secure. Not to mention, the average user probably has no idea what Docker or a virtual machine even is. Like I said in my original response, lots of things are possible in theory, but in practice web browsers are much better at sandboxing apps than desktop operating systems (and even better than mobile operating systems). And by the way, you can run a browser inside of a vm too, so if anything the technologies you're advocating for bolster the security of web apps rather than compete with them.
> If anything, modern browsers are so complex (and getting worse with time) that the attack surface is big
Ironically, a lot of that complexity arises from the web's insistence on security. V8 is complex because it has so many safeguards in place to sandbox JavaScript, and that sandboxing is taken very seriously. There's a reward anywhere from 10,000 to 150,000 USD if you can escape the sandbox [2][3]. Browsers are inherently more secure than desktop apps because they limit access to the underlying platform. Someone developing malware as a web app has to first escape the browser sandbox, just to gain the privileges that a desktop app has natively. If it helps, you can think of every desktop app as a webapp which has already escaped the browser.
> Moreover, Web UIs bring their own class of issues that don't really apply to native apps.
No, web developers have just spent so much time thinking about security, that native app developers haven't even realized these security issues are relevant yet. It took years for Apple and Google to come to the brilliant conclusion that they should notify users when an app is reading from the clipboard, something which at the time was considered just a browser "class of issue". Maybe in 2034 they'll figure this out for desktop apps.
> But CORS is really a browser thing, I don't think it really makes sense to compare it to anything outside the "webview world".
It makes sense to compare it to things outside of the browser because it protects users and servers. You seem to want to disqualify any point I make that you can't disprove. If you don't think web technology is comparable to anything outside the browser, then what are we even arguing about? This whole discussion has been about comparing the security of web apps to non-web apps.
> If security is your concern (and you seem to insist that it is), then webapps are really not better than the alternatives. Actually, the Apple Store and the Play Store (to give an example in the mobile world) allow Apple and Google to somehow monitor the apps that users install, which is most certainly more secure than a model where anyone can load any webapp from any website.
Security is not some new thing I'm insisting on, it's been my whole point from the very beginning. You're just finally deciding to engage with me about it, instead of derailing the conversation constantly. Apple and Google have to monitor which apps make it to their app stores, BECAUSE apps are so much more prone to security problems. You once again have it completely backwards. No one has to gatekeep websites because browsers are so much better at sandboxing applications. And allow me to remind you that you admitted you have no idea how iOS sandboxing works, so you can't really be confident about this stance even if it did make sense.
And now you're arguing in favor of the app store duopoly which contradicts your point about software diversity. You can't have it both ways. You're trying to hold on to two contradictory points at the same time: you don't like the supposed lack of browser diversity (which is why you seem to detest Chromium), but you like the supposed security guarantees of the mobile app store duopoly, which is even less diverse.
[1] https://news.ycombinator.com/item?id=38919389
[2] https://github.com/google/security-research/blob/master/v8ct...
[3] https://bughunters.google.com/about/rules/5745167867576320/c...