undefined | Better HN

0 pointsJoshTriplett1y ago0 comments

> What do you want which isn't designed for a native app?

Running in a user-agent which is explicitly adversarial to the app's interests and capable of e.g. filtering out and rejecting its HTTPS requests and changing its displayed content based on user preferences, such as preventing the loading or display of advertisements/tracking/etc.

Please by all means suggest an established sandboxing technology that applications use that already does that. If your answer is "you could extend existing native-application sandboxes to be capable of that", my response is "why should I bother when I already have one that does what I want and that applications actually use?".

I would love to instead have a world in which everything is Open Source, in which case it'd be less necessary. Given that we're not in that world, the web is the platform I want proprietary applications to live in.

> So you're either wanting to use and develop for Linux, or you're wanting to build apps that fit in walled gardens.

I already use and develop for Linux, for a variety of Open Source applications. When I run other people's applications, I want them to either be Open Source or I want them to stay confined to a browser tab. Browsers aren't a "walled garden", they're a containment mechanism that works for the user.

> Guess which one lets you build and/or run native apps in a sandbox not of its own making, and provides comprehensive APIs, and keeps the user in control?

Delete the word "native" and the answer is "the web". And you've made zero compelling cases for adding the constraint "native".

To be clear, I could easily describe cases where native applications are better. For instance, I don't particularly want to run a code editor on the web, though many people do. 100% of those are cases where I seek out Open Source applications, so that I can trust them to not be doing things counter to my interests. And such applications don't need the same kind of sandboxing; they need to guard against security issues, but they don't generally need to guard against the application itself intentionally doing things against the user's interests. (That said, things like the xz backdoor do happen, which is an argument for being able to sandbox individual libraries and not just whole applications. But again, that's addressed by coarse-grained sandboxes like "this code shouldn't be doing this whole class of things at all".)

0 comments

2 comments · 1 top-level

inetknght1y ago· 1 in thread

> Running in a user-agent which is explicitly adversarial to the app's interests and capable of e.g. filtering out and rejecting its HTTPS requests and changing its displayed content based on user preferences, such as preventing the loading or display of advertisements/tracking/etc.

I would love to have that in my OS. But, let me know what browser you think that is. It's not Firefox, nor Chrome, and certainly not Edge.

> Please by all means suggest an established sandboxing technology that applications use that already does that.

Linux cgroups is an established sandboxing technology. It has the potential to do what you want but currently needs more work to make it simple.

Applications don't use it to the extent that they should.

> why should I bother when I already have one that does what I want and that applications actually use?

Because browsers don't do what you want. Browsers have been subverted to no longer be user agents. Browsers don't reject HTTPS requests that aren't in the best interests of users. You have to install extensions to get that. If you have to customize your "user agent" then I suggest that customization belongs at the OS level. Otherwise, for example, in the case of Windows or macOS, you're just running someone else's game and the browser is merely a veneer.

> When I run other people's applications, I want them to either be Open Source or I want them to stay confined to a browser tab.

I want more restriction than a browser tab. I want more restriction than browsers are going. I want this in the OS and the reason it doesn't yet exist is because there are so many web developers who build terrible web apps instead of learning computer science to build a (terrible) native application and ask for the same restrictions in the OS instead of a browser.

Access to store and retrieve user credentials? No. I want to run multiple instances of the same app without every app seeing all of the credentials. I want a separate password manager that lets me choose when or where to provide credentials.

Access to store things on my computer [0]? No thanks at all. If you're running in a browser, you should be lightweight. You should eat the storage expenses for your app and you should minimize your app's size to minimize your network transfer costs. I have very limited storage space, limited write endurance, and web apps waste both.

Run stuff in the background [1]? No. Run your compute on your own hardware. Power is expensive and that web app running whatever it's running is making my whole system slow down. Ten different tabs, for six different apps, all thinking they can run whatever the hell they want, and leaves very little available for me to actually get work done.

Access to my GPU [2]? Dude, no. I have a slow GPU and that crappy web app is slowing everything down while eating both main memory and also GPU memory. And who knows what kind of security isolation GPUs have these days (protip: none)!

Access to my USB devices [3]? No friggen thanks. That slow hard disk? It's USB. And that USB bus? Yeah it's slow too. And what a security nightmare: that's where my USB-to-ethernet adapter is, on the same slow bus!

Microphone? Camera? System notifications? No, no, no [4].

I want what you want, but I want it at the OS level. Without OS-level control, that web app isolation makes everything worse.

[0]: https://en.wikipedia.org/wiki/Web_storage

[1]: https://en.wikipedia.org/wiki/Web_worker

[2]: https://en.wikipedia.org/wiki/WebGPU

[3]: https://en.wikipedia.org/wiki/WebUSB

[4]: I got lazy and stopped looking for more web APIs for you

JoshTriplettOP1y ago

> Linux cgroups is an established sandboxing technology. It has the potential to do what you want but currently needs more work to make it simple.

I'm extremely familiar with cgroups, and no, it really doesn't have anything remotely suitable for interposing application UI elements, nor is it a good fit for intercepting HTTPS requests unless you're prepared to run a proxy that MITMs all requests and you overcome the certificate pinning many applications do. (And the most obvious ways of doing that tend to lower security.)

Browsers are a nearly unique environment in this regard, in which myriad applications are built to let the environment (the browser) handle both the network access and the UI rendering for them. It is a path-dependent marvel of history that we have such a popular platform that gives as much control to users as it does.

> You have to install extensions to get that.

And the Linux kernel alone doesn't do what you want either, you need userspace frameworks for that. The browser provides the necessary APIs to intercept requests, and extensions use those to implement all sorts of useful functionality. "You need an extension" is not a counterargument when the extensions already exist and other frameworks need the equivalent as well.

> If you have to customize your "user agent" then I suggest that customization belongs at the OS level.

As mentioned above, OS sandboxing is substantially worse than browser sandboxing for the purposes I care about, and does not solve the problems I have. In a browser, both the UI and the network access is handled by a user-agent that can be adversarial to the application.

Oh, and the best up-and-coming solution that offers anywhere close to the same thing? WebAssembly components running outside the browser, where you can say to a component "I won't give you raw network access, but if you hand me network requests I'll hand you results".

> in the case of Windows or macOS, you're just running someone else's game

You'll get no argument from me on that point. But that doesn't hold for an Open Source OS and browser.

> I want this in the OS and the reason it doesn't yet exist is because there are so many web developers who build terrible web apps instead of learning computer science to build a (terrible) native application and ask for the same restrictions in the OS instead of a browser.

People who have different preferences and values than you do are not stupid. People who don't care about the windmill you've chosen to tilt at are not ignorant.

Capability systems have been researched and developed for decades, in many different forms. They could, in theory, be used to solve the problem you care about, given sufficient capabilities and substantially different application design to integrate such capabilities. That has both practical implementation challenges nearly on par with "write a new OS" or "write a new web browser", and also has practical adoption challenges of convincing people to write applications for it when many native applications are trying to get more capabilities that the user may not want them to have.

Despite all that, there are people working on many aspects of that problem. The fact that people don't immediately go "let me drop everything I care about that works for me and prioritize working on your approach" suggests that you either need to do more work on developing it yourself (because nobody will ever care about your exact preferences more than you do yourself) or learn to pitch it to people who don't already agree with you.

> I want what you want, but I want it at the OS level.

See the previous paragraph: Feel free to write it then. When you've built something that's anywhere close to the capabilities of a web browser, I look forward to trying it, and I'm sure many other people will too. I hope you succeed.

j / k navigate · click thread line to collapse