Our great sponsors
-
-
security-research
This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Recently I was reading the Learn CSS the pedantic way book and the definition for inline boxes did not match the way that anonymous block boxes were generated when an inline-level element had a block-level element as its child. So I went looking elsewhere for a more appropriate definition for that case and found this issue on standards: https://github.com/w3c/csswg-drafts/issues/1477 It was really interesting to know that I was not the only one confused. My question was: Does the inline-box generated by the inline-level element contains the box generated by the block-level child or there wasn't an inline-box that was a parent of them all but there were 2 siblings inline-level boxes of the block-level box that were wrapped in another anonymous block boxes? Reading that issue I got to know the concept of fragments, which I did not know browsers had. But the issue seems to suggest that the box tree for this case should have the inline-box as being a parent of the block-box. Which led me to another question, in that case, if I apply a border to the parent inline-level element, shouldn't it apply to the overall box that is generated (it does not)? The answer is that borders between block-boxes and inline-level boxes should not intersect but that is really difficult to derive from reading the standards alone. Anyway it was headache-inducing trying to learn the box-model pedantically :)
> Alright, let's take a step back. First, I am not a mobile developer.
I think you're whichever kind of developer your current position requires. You've been talking about Android non-stop throughout this conversation, and conversations you've had with others on this website [1]. When you were lambasting me about my perceived knowledge of mobile development you were touting your Android knowledge. Now that I've proven Android is actually one of the primary tools Google uses to promote Chrome (and you admitted you don't know much about iOS) you want to distance yourself from mobile development altogether.
> Other examples include whatever iOS does (which I don't know), containers (docker and the likes), VMs, and everything in-between (like what snap or flatpak use).
We're not discussing theoretical means with which you could sandbox an application, we're talking about how apps are actually used in reality. If you need to fire up a virtual machine every time you use your favorite desktop apps, then you're only proving my point that they're not inherently very secure. Not to mention, the average user probably has no idea what Docker or a virtual machine even is. Like I said in my original response, lots of things are possible in theory, but in practice web browsers are much better at sandboxing apps than desktop operating systems (and even better than mobile operating systems).
> If anything, modern browsers are so complex (and getting worse with time) that the attack surface is big
Ironically, a lot of that complexity arises from the web's insistence on security. V8 is complex because it has so many safeguards in place to sandbox JavaScript, and that sandboxing is taken very seriously. There's a reward anywhere from 10,000 to 150,000 USD if you can escape the sandbox [2][3]. Browsers are inherently more secure than desktop apps because they limit access to the underlying platform. Someone developing malware as a web app has to first escape the browser sandbox, just to gain the privileges that a desktop app has natively. If it helps, you can think of every desktop app as a webapp which has already escaped the browser.
> Moreover, Web UIs bring their own class of issues that don't really apply to native apps.
No, web developers have just spent so much time thinking about security, that native app developers haven't even realized these security issues are relevant yet. It took years for Apple and Google to come to the brilliant conclusion that they should notify users when an app is reading from the clipboard, something which at the time was considered just a Browser "class of issue". Maybe in 2034 they'll figure this out for desktop apps.
> But CORS is really a browser thing, I don't think it really makes sense to compare it to anything outside the "webview world".
It makes sense to compare it to things outside of the browser because it protects users and servers. You seem to want to disqualify any point I make that you can't disprove. If you don't think web technology is comparable to anything outside the browser, then what are we even arguing about? This whole discussion has been about comparing the security of web apps to non-web apps.
> If security is your concern (and you seem to insist that it is), then webapps are really not better than the alternatives. Actually, the Apple Store and the Play Store (to give an example in the mobile world) allow Apple and Google to somehow monitor the apps that users install, which is most certainly more secure than a model where anyone can load any webapp from any website.
Apple and Google have to monitor which apps make it to their app stores, BECAUSE apps are so much more prone to security problems. You once again have it completely backwards. No one has to gatekeep websites because browsers are so much better at sandboxing applications. And allow me to remind you that admitted you have no idea how iOS sandboxing works, so you can't really be confident about this stance even if it did make sense.
And now you're arguing in favor of the app store duopoly which contradicts your point about software diversity. You can't have it both ways. You're trying to hold on to two contradictory points at the same time: you don't like the supposed lack of Browser diversity (which is why you seem to detest Chromium), but you like the supposed security guarantees of the mobile app store duopoly, which is even less diverse.
[1] https://news.ycombinator.com/item?id=38919389
[2] https://github.com/google/security-research/blob/master/v8ct...
[3] https://bughunters.google.com/about/rules/5745167867576320/c...