undefined | Better HN

0 pointslxgr1y ago0 comments

Forcing every website to adapt to a browser update is completely infeasible.

> I can't imagine there are many sites passing significant amounts of data through this

This is actually a quite common mechanism for popup-based authentication (which is much more secure than iframe-based one, as users can verify where they're potentially entering their credentials).

0 comments

zamalek1y ago

We had the tech in the 80's for the browser to facilitate popup authentication with process isolation. It's this niche and esoteric tech called IPC[1], so niche that one really can't blame Apple for not hearing about it.

It truly boggles the mind as to how all the other browsers pull it off.

[1]: https://en.wikipedia.org/wiki/Inter-process_communication

lxgrOP1y ago

To be fair, there wasn't that much sensitive web content around in the 80s to leak (primarily due to the web not yet existing, nor browsers), so it's only fair that browsers didn't consider using IPC for site isolation back then.

zamalek1y ago

The point of my rather facetious comment is that IPC a well known thing (I struggle to even call it "tech") that has been around for 30-40 years. I don't understand why Apple needs people to make excuses for them, but this excuse would render Apple vastly more incompetent than neglecting to separate browser tabs in 2025.

lxgrOP1y ago

Browsers are incredibly complex, and moving them to an IPC model is not easy. Essentially, you need to ensure "same process like", performant JavaScript interoperability in some cases, often (but not always) due to backwards compatibility.

Firefox has shared a lot about their efforts in moving there. If you're curious, there are a lot of blog posts and internal design docs under their project name "Project Fission".

But yeah, the fact that both Chrome and Firefox have managed to do so does leave Apple looking slightly bad here.

2 more replies

junon1y ago

That, and "cyber security" wasn't really a formalized field. It arguably still isn't, depending on how the question's framed.

indymike1y ago

To be fair, there was no web in the 80s.

BobbyTables21y ago

Expecting websites to defend themselves against CPU side channel attacks is also absurd!

omcnoe1y ago

But how much data are those popup based auth sending through? At the absolute most a few MB in a couple calls. Even if it's dramatically slower over IPC it's not going to cause issues.

raxxorraxor1y ago

Similar problem with third-party-cookies. They would make some auth cases easier and safer, but we shouldn't generally allow them because they are abused for tracking.

Here I would agree with you though.

asoneth1y ago

Why not a choice?

Individuals could choose a "secure" browser or browser mode that provides increased protection from such attacks or a "compatible" one that is less likely to break old websites.

kergonath1y ago

> Individuals could choose a "secure" browser or browser mode that provides increased protection from such attacks or a "compatible" one that is less likely to break old websites.

And then we get thousands of posts whining about Safari being broken because it is "not like Chrome" and developers moaning that their unsafe pet API is not supported. Web developers are never going to play ball.

amatecha1y ago

idunno, as a professional web dev since 1998, I don't understand why Google, Apple and Mozilla are trying so hard to make the web browser like a complete OS (I technically understand why, I just think it's ridiculous). The amount of obscure APIs being added just boosts the surface area for vulnerabilities and makes low-resource web browsing nearly impossible. You either get "a web browser that works" or "a web browser that can load almost nothing", and basically nothing in between. I had to stop using Firefox on my old ThinkPad because after opening a few windows, it churns the CPU so hard it's not usable for a solid minute+. Let that finish up, and I have to wait again if I dare to open another page. i5-3220m, 8gb of RAM (where the OS uses like 200mb of RAM)... there's no excuse for this to not be able to browse the web.

Some fun examples of "your browser is an OS on top of your OS":

The Screen Wake Lock API provides a way to prevent devices from dimming or locking the screen when an application needs to keep running. https://developer.mozilla.org/en-US/docs/Web/API/Screen_Wake...

The Web Serial API provides a way for websites to read from and write to serial devices. https://developer.mozilla.org/en-US/docs/Web/API/Web_Serial_...

The Window Management API allows you to get detailed information on the displays connected to your device and more easily place windows on specific screens, paving the way towards more effective multi-screen applications. https://developer.mozilla.org/en-US/docs/Web/API/Window_Mana...

The Compute Pressure API is a JavaScript API that enables you to observe the pressure of system resources such as the CPU. https://developer.mozilla.org/en-US/docs/Web/API/Compute_Pre...

(my thesis is, not all web developers want this stuff, and usually when I talk to people in the industry they agree, it's excessive)

ChadNauseam1y ago

Every web developer is fine with 10% of the feature set, it’s just a different 10% for each dev. I am regularly annoyed by the inconsistent browser support for Web MIDI, something 99% of web devs probably don’t care about at all.

It would be easier to sandbox if there were fewer features of course, but in practice we rarely see exploits even in complicated low-level APIs like webgpu (which must be a nightmare to make secure given how many buggy drivers and different devices it has to support). So it seems like in practice we are able to sandbox these APIs securely, and having them provides an incredible benefit to users who are able to securely and easily run applications (how else do you recommend people do this on desktop platforms?).

1 more reply

not_kurt_godel1y ago

> The Screen Wake Lock API provides a way to prevent devices from dimming or locking the screen when an application needs to keep running. https://developer.mozilla.org/en-US/docs/Web/API/Screen_Wake...

There's an obscure use case for this called "Watching Video"

2 more replies

kergonath1y ago

> idunno, as a professional web dev since 1998, I don't understand why Google, Apple and Mozilla are trying so hard to make the web browser like a complete OS (I technically understand why, I just think it's ridiculous)

I am not a web developer but I completely agree with you. To me, adding more complex points of failure in humongous piles of code that we absolutely need to run in a modern life is not a great risk assessment. It’s like we never learnt from the security issues with the JVM.

collinmanderson1y ago

> The amount of obscure APIs being added just boosts the surface area for vulnerabilities

It’s often the ancient APIs from around 1995-2001 that are the most vulnerable ones, with information leaking across origins (like todays) needing hacky fixes to stay secure and compatible.

window.open(), target=_blank, cross site request forgery, etc.

IE6 from 2001 had a ton of these modern security issues, and Netscape before it probably had them too.

At that time there were tons of buffer overflow security holes so no on cared about side-channel attacks.

pjmlp1y ago

I fully agree, as someone also doing Web development in a similar timeframe, for plenty of stuff we would be better with native apps talking over Internet protocols, no need to transform a platform for interactive documents into a OS.

lxgrOP1y ago

Well, for better or worse, the web is an application platform these days.

I consider it pretty great, since the alternative is installing native apps for things I'm using exactly once or very rarely.

There's a case to be made though that maybe these things should only be available to PWAs, which is what Apple is already doing for some functionality on iOS, including push notifications.

1 more reply

phatskat1y ago

The first two, screen wake lock and web serial have good use cases imo. I wouldn’t be surprised if some in-use assistive technology uses serial communication - think screen readers or custom input devices. Keeping the screen from locking is also useful from a purely accessible standpoint as well for users who move slower or need more time to read things.

Khaine1y ago

I agree with you, particularly when 90% of sites people visit are to read, watch, or engage with content.

jahewson1y ago

That’s not a real choice though. All it takes is one website that is essential to me not supporting the secure mode and I’m forced to opt-out. The upstream website is making the choice for me.

kelnos1y ago

Users don't want to make these kinds of choices, and generally there's no good way to educate them enough to figure out what they actually want.

ameliaquining1y ago

People are downvoting you, but Apple does actually offer this: https://support.apple.com/en-us/105120

I think they've gotten away with it because it's a pretty obscure setting and they say a bunch of things like "most users should not enable this, and if you do enable it you should expect things to break".

dfedbeef1y ago

It's super feasible if you own the API default.

lxgrOP1y ago

It's definitely a quick way to get all your users to switch to a different browser or figure out how to disable updates forever.

connicpu1y ago

One spot where safari is in an advantageous position to force a new default, as long as they roll it out on iOS first.

throwaway8943451y ago

I mean, if all major browsers do it roughly once then users will complain to the few broken websites. They won’t even think to blame the browser if every other site works fine and the broken site is broken on all browsers.

lxgrOP1y ago

Good luck trying to get Google or Microsoft to throw their paying enterprise users under the bus in the interest of slightly safer sandboxing defaults.

1 more reply

dfedbeef1y ago

You just announce you are making a change and then turn it on later.

schrodinger1y ago

After building enterprise APIs for a few years, you’d be amazed at how hard it is to get companies to make even minor changes; backwards compatibility is key. Often it’s because they _can’t_ make the change themselves since they outsourced the code to a consulting agency. So they’d have to sign a new contract and get an agency to make the change.

They just won’t, and you’ll have a browser that people stop using.

bee_rider1y ago

It is probably outside the scope of what one company can do (although Apple is quite large…). But we need to fix our understanding of backwards compatibility. If a computer system provides the ability to keep doing something, but the way it provides that capability requires it to be insecure, then the system should not really be thought of as “backward compatible.” Because reasonably prudent people can’t actually keep doing the thing they were doing before.

Of source, modern computers on the modern web don’t really provide the ability to do much at all in a reasonably prudent fashion, so it is all a bit moot I guess.

lxgrOP1y ago

Announce what to whom? To the hundreds of millions of users out there that don't even know what a browser is, let alone why it's now talking to them about something called a "site isolation framework"?

plufz1y ago

I would guess you would use a deprecation message in the console? Like they have done over cookie changes, etc. A normal user would obviously not check the console, but the devs or admins of the site sure might.

1 more reply

j / k navigate · click thread line to collapse

0 comments

zamalek1y ago

It truly boggles the mind as to how all the other browsers pull it off.

[1]: https://en.wikipedia.org/wiki/Inter-process_communication

lxgrOP1y ago

zamalek1y ago

lxgrOP1y ago

Firefox has shared a lot about their efforts in moving there. If you're curious, there are a lot of blog posts and internal design docs under their project name "Project Fission".

But yeah, the fact that both Chrome and Firefox have managed to do so does leave Apple looking slightly bad here.

2 more replies

junon1y ago

That, and "cyber security" wasn't really a formalized field. It arguably still isn't, depending on how the question's framed.

indymike1y ago

To be fair, there was no web in the 80s.

BobbyTables21y ago

Expecting websites to defend themselves against CPU side channel attacks is also absurd!

omcnoe1y ago

But how much data are those popup based auth sending through? At the absolute most a few MB in a couple calls. Even if it's dramatically slower over IPC it's not going to cause issues.

raxxorraxor1y ago

Similar problem with third-party-cookies. They would make some auth cases easier and safer, but we shouldn't generally allow them because they are abused for tracking.

Here I would agree with you though.

asoneth1y ago

Why not a choice?

Individuals could choose a "secure" browser or browser mode that provides increased protection from such attacks or a "compatible" one that is less likely to break old websites.

kergonath1y ago

> Individuals could choose a "secure" browser or browser mode that provides increased protection from such attacks or a "compatible" one that is less likely to break old websites.

amatecha1y ago

Some fun examples of "your browser is an OS on top of your OS":

The Web Serial API provides a way for websites to read from and write to serial devices. https://developer.mozilla.org/en-US/docs/Web/API/Web_Serial_...

The Compute Pressure API is a JavaScript API that enables you to observe the pressure of system resources such as the CPU. https://developer.mozilla.org/en-US/docs/Web/API/Compute_Pre...

(my thesis is, not all web developers want this stuff, and usually when I talk to people in the industry they agree, it's excessive)

ChadNauseam1y ago

1 more reply

not_kurt_godel1y ago

There's an obscure use case for this called "Watching Video"

2 more replies

kergonath1y ago

collinmanderson1y ago

> The amount of obscure APIs being added just boosts the surface area for vulnerabilities

It’s often the ancient APIs from around 1995-2001 that are the most vulnerable ones, with information leaking across origins (like todays) needing hacky fixes to stay secure and compatible.

window.open(), target=_blank, cross site request forgery, etc.

IE6 from 2001 had a ton of these modern security issues, and Netscape before it probably had them too.

At that time there were tons of buffer overflow security holes so no on cared about side-channel attacks.

pjmlp1y ago

lxgrOP1y ago

Well, for better or worse, the web is an application platform these days.

I consider it pretty great, since the alternative is installing native apps for things I'm using exactly once or very rarely.

There's a case to be made though that maybe these things should only be available to PWAs, which is what Apple is already doing for some functionality on iOS, including push notifications.

1 more reply

phatskat1y ago

Khaine1y ago

I agree with you, particularly when 90% of sites people visit are to read, watch, or engage with content.

jahewson1y ago

That’s not a real choice though. All it takes is one website that is essential to me not supporting the secure mode and I’m forced to opt-out. The upstream website is making the choice for me.

kelnos1y ago

Users don't want to make these kinds of choices, and generally there's no good way to educate them enough to figure out what they actually want.

ameliaquining1y ago

People are downvoting you, but Apple does actually offer this: https://support.apple.com/en-us/105120

dfedbeef1y ago

It's super feasible if you own the API default.

lxgrOP1y ago

It's definitely a quick way to get all your users to switch to a different browser or figure out how to disable updates forever.

connicpu1y ago

One spot where safari is in an advantageous position to force a new default, as long as they roll it out on iOS first.

throwaway8943451y ago

lxgrOP1y ago

Good luck trying to get Google or Microsoft to throw their paying enterprise users under the bus in the interest of slightly safer sandboxing defaults.

1 more reply

dfedbeef1y ago

You just announce you are making a change and then turn it on later.

schrodinger1y ago

They just won’t, and you’ll have a browser that people stop using.

bee_rider1y ago

Of source, modern computers on the modern web don’t really provide the ability to do much at all in a reasonably prudent fashion, so it is all a bit moot I guess.

lxgrOP1y ago

plufz1y ago

1 more reply

j / k navigate · click thread line to collapse