workers-sdk VS chromium

Workers

https://github.com/cloudflare/workers-sdk/blob/main/packages...

The Wrangler, Cloudflare's Developer Platform command-line interface (CLI), allows you to manage Worker projects and has an in-built Miniflare, which runs an HTTP server.

/** * Welcome to Cloudflare Workers! This is your first worker. * * - Run `npm run dev` in your terminal to start a development server * - Open a browser tab at http://localhost:8787/ to see your worker in action * - Run `npm run deploy` to publish your worker * * Learn more at https://developers.cloudflare.com/workers/ */ export interface Env { // Example binding to KV. Learn more at https://developers.cloudflare.com/workers/runtime-apis/kv/ // MY_KV_NAMESPACE: KVNamespace; // // Example binding to Durable Object. Learn more at https://developers.cloudflare.com/workers/runtime-apis/durable-objects/ // MY_DURABLE_OBJECT: DurableObjectNamespace; // // Example binding to R2. Learn more at https://developers.cloudflare.com/workers/runtime-apis/r2/ // MY_BUCKET: R2Bucket; // // Example binding to a Service. Learn more at https://developers.cloudflare.com/workers/runtime-apis/service-bindings/ // MY_SERVICE: Fetcher; // // Example binding to a Queue. Learn more at https://developers.cloudflare.com/queues/javascript-apis/ // MY_QUEUE: Queue; } export default { async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise { return new Response('Hello World!'); }, };

$ npm create cloudflare@latest using create-cloudflare version 2.9.0 ╭ Create an application with Cloudflare Step 1 of 3 │ ├ In which directory do you want to create your application? │ dir ./apps/worker │ ├ What type of application do you want to create? │ type "Hello World" Worker │ ├ Do you want to use TypeScript? │ yes typescript │ ├ Copying files from "hello-world" template │ ├ Retrieving current workerd compatibility date │ compatibility date 2023-12-18 │ ╰ Application created ╭ Installing dependencies Step 2 of 3 │ ├ Installing dependencies │ installed via `npm install` │ ├ Installing @cloudflare/workers-types │ installed via npm │ ├ Adding latest types to `tsconfig.json` │ skipped couldn't find latest compatible version of @cloudflare/workers-types │ ╰ Dependencies Installed ╭ Deploy with Cloudflare Step 3 of 3 │ ├ Do you want to deploy your application? │ no deploy via `npm run deploy` │ ├ APPLICATION CREATED Deploy your application with npm run deploy │ │ Navigate to the new directory cd apps/worker │ Run the development server npm run start │ Deploy your application npm run deploy │ Read the documentation https://developers.cloudflare.com/workers │ Stuck? Join us at https://discord.gg/cloudflaredev │ ╰ See you again soon!

Except that there is. Cloudflare is pretty great for free SSL certificates and DNS management, but they also offer a free Workers plan. A Cloudflare worker is basically JavaScript code that runs on Cloudflare's edge network and handles HTTP traffic. You can do a lot with workers, including modifying/rewriting HTML responses. You can probably see where this is going: If a worker can modify HTML responses, then it can inject the umami script into every HTML response.

Cloudflare Workers

And what about the DX of using Workers with Pages?

I tried to use that recently and it was a disaster. I wrote about my experience here:

https://twitter.com/pierbover/status/1641474067013271552

I then opened these two issues:

https://github.com/cloudflare/workers-sdk/issues/2962

https://github.com/cloudflare/workers-sdk/issues/2964

I ended up moving the project over to Netlify + Edge functions. I had it all working in like 5-10 mins as it should. Took me two hours to figure out why Workers weren't working in my Pages project, and could never get Workers working properly with my Astro project.

I think you're working exclusively on the engine of Workers which is really top notch, but Cloudflare really needs to improve the outer layer which affects DX considerably.

If you think this is a bug, please open an issue at: https://github.com/cloudflare/workers-sdk/issues/new/choose ```

One of the unexpected use of shadow DOMs for me was a document generated for image resource URLs [1], because the HTML standard apparently specifies the exact DOM structure of the generated document except for the `` element [2].

[1] https://github.com/chromium/chromium/blob/f02ca73/third_part...

[2] https://html.spec.whatwg.org/multipage/document-lifecycle.ht...

Recently my favorite open source mouse gestures extension SmartUp Gestures was taken over by some shady entity (with github no longer being updated of course).

I opened Chrome ticket that they should ask to re-enable extension when ownership changes. They just closed the ticket replying with this link:

https://chromium.googlesource.com/chromium/src/+/main/extens...

:(

Hmm. It looks like files with the .lnk or .pif file extension can only be downloaded on a user gesture: https://chromium.googlesource.com/chromium/src/+/39841e54180...

So it can't be done silently. Although, I do wish the type was marked "DANGEROUS" a la dll files.

On Linux, Chromium uses setuid or user namespaces to restrict the access of sandboxed components and seccomp-bpf to reduce the kernel attack surface.

Check out the Chromium docs on this topic: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/l...

You can also disable JIT in Firefox by setting javascript.options.baselinejit to false in about:config, although you won't get CET.

[1] https://github.com/chromium/chromium/blob/12c232c43ce7324d30...

Chromium targets iOS already: https://chromium.googlesource.com/chromium/src/+/main/docs/i...

For the sake of completeness, I've traced the evolution of the notice over time:

From 2008-07-26: "Going incognito doesn't affect the behavior of other people, servers, or software. Be wary of: / • Websites that collect or share information about you / • Internet service providers or employers that track the pages you visit / • Malicious software that tracks your keystrokes in exchange for free smileys / • Surveillance by secret agents / • People standing behind you" (https://chromium.googlesource.com/chromium/src/+/09911bf300f...)

From 2013-12-07: "Going incognito doesn't affect the behavior of other people, servers, software, or people standing behind you." (https://chromium.googlesource.com/chromium/src/+/c5e36c57178...)

From 2013-12-13: "However, you aren't invisible. Going incognito doesn't hide your browsing from your employer, your internet service provider, or the websites you visit." (https://chromium.googlesource.com/chromium/src/+/70821506825...)

From 2014-02-27: "However, you aren't invisible. Going incognito doesn't hide your browsing from your employer, your internet service provider, governments and other sophisticated attackers, or the websites you visit." (https://chromium.googlesource.com/chromium/src/+/ab54bd65701...)

From 2014-04-29: "Going incognito doesn't hide your browsing from your employer, your internet service provider, or the websites you visit." (https://chromium.googlesource.com/chromium/src/+/eb09a62ef40...)

From 2016-01-15: "However, you aren't invisible. Going incognito doesn’t hide your browsing from your employer, your internet service provider, or the websites you visit." (https://chromium.googlesource.com/chromium/src/+/b7dac1a6a79...)

From 2017-02-27: "Your activity might still be visible to: / • Websites you visit / • Your employer / • Your internet service provider" (https://chromium.googlesource.com/chromium/src/+/cfe102adddc...)

From 2017-03-29: "Your activity might still be visible to: / • Websites you visit / • Your employer or school / • Your internet service provider" (https://chromium.googlesource.com/chromium/src/+/7ca3ccf74e8...)

(Note that some of these were behind a feature flag for a few months.) Also, it looks like they've been intending to modify the new-tab page text for Incognito windows for some time, as part of the "Revamped Incognito NTP" project. You can view the modified text with 'chromium --enable-features=IncognitoNtpRevamp':

From 2021-08-13: "What Incognito doesn't do / Incognito does not make you invisible online: / • Sites know when you visit them / • Employers or schools can track browsing activity / • Internet service providers may monitor web traffic" (https://chromium.googlesource.com/chromium/src/+/e6ae57ba385...)

From 2022-01-25: "What Incognito doesn't do / Incognito does not make you invisible online: / • Sites and the services they use can see visits / • Employers or schools can track browsing activity / • Internet service providers can monitor web traffic" (https://chromium.googlesource.com/chromium/src/+/8b349f6c984...)

Blink can now be compiled for iOS, but without JIT or WASM:

https://chromium.googlesource.com/chromium/src/+/main/docs/i...

https://bugs.chromium.org/p/chromium/issues/detail?id=141170...

I think its weird that Vercel has this limit. There is no practical reason I can think of for having such a limit on URL characters that is so small. Chrome suggests a 2MB limit[0] for example. The platform itself doesn't have one, and Firefox I believe if memory serves (I can't find the source for this claim atm) is 1 MB effectively, and I don't think Safari is any lower than that either (and may well be more inline with Chrome on this, at 2 MB)

[0]: https://chromium.googlesource.com/chromium/src/+/master/docs...