Both are worth reading.
I have added year indicators to my blog (such that old articles have a prominent year name in their title) and a subscribe note (people don’t know you can put URLs into a feed reader and it’ll auto-discover the feed URL). Each time, the number of people who email me identical questions goes down :)
Anyway, thanks for blogging!
Locking down features to have a unified experience is what a browser should do, after all, no matter the performance. Of course there are various vendors who tried to break this by introducing platform specific stuff, but that's also why IE, and later Edge (non-chrome) died a horrible death
There are external sandbox escapes such as Adobe Flash, ActiveX, Java Applet and Silverlight though, but those external escapes are often another sandbox of its own, despite all of them being a horrible one...
But with the stabilization of asm.js and later WebAssembly, all of them is gone with the wind.
Sidenote: Flash's scripting language, ActionScript is also directly responsible for the generational design of Java-ahem-ECMAScript later on, also TypeScript too.
I feel like I am the only one who absolutely loved ActionScript, especially AS3. I wrote a video aggregator (chime.tv[1]) back in the day using AS3 and it was such a fun experience.
1. https://techcrunch.com/2007/06/12/chimetv-a-prettier-way-to-...
There is the universal hate for flash because it was used for ads and had shitty security, but anyone I know who actually used AS3 loved it.
At its peak, with flex builder, we also had a full blown UI Editor, where you could just add your own custom elements designed directly with flash ... and then it was all killed because Apple did not dare to open source it, or put serious efforts on their own into improving the technical base of the flash player (that had aquired lots of technical dept).
That's only one side of it. Flash was the precursor to the indie/mobile gamedev industry we have today (Newgrounds, Miniclip, Armor Games), before smartphones become ubiquitous. Not to mention some rather creative websites, albeit at the cost of accessibility .
Flash's only fault was it's creators were gobbled up by Adobe, who left it in the shitter and ignored the complaints people had about it's security issues.
I don't think Flash was harder to secure than HTML itself. People just gave up trying because browser vendors used security to purge the web of anything they didn't control.
Your take on why Flash didn't survive is more cynical than mine. I genuinely think Apple threw up their hands at the prospect of attempting to solve a security problem on the same scale as the browser itself (something it took them a long time to get a handle on --- along with everyone else --- even after they put the kibosh on Flash).
There are certainly obvious issues with securing a third party codebase you don't control, and it's likely that the browser makers had more budget to spend on security than Adobe. But there was no technical reason Flash couldn't have been treated as an alternative rendering engine from a sandboxing perspective, and I think Chrome did it. Pepper was an initiative to generalize that. Blink is full of holes as other comments point out and it's only the kernel sandboxing that makes adding new features viable at all.
I'm cynical because when the browser makers talked about phasing out plugins it wasn't primarily security they talked about. This blog post talks about speed and energy usage first:
https://blog.google/products-and-platforms/products/chrome/s...
The same language can be found in the announcement of their HTML5 by default strategy here:
https://groups.google.com/a/chromium.org/g/chromium-dev/c/0w...
"While Flash historically has been critical for rich media on the web, today in many cases HTML5 provides a more integrated media experience with faster load times and lower power consumption."
Security isn't mentioned, perhaps because trying to argue that their own pile of C++ was somehow meaningfully more robust than Adobe's big pile of C++ wasn't going to be convincing.
Their writings about this were also very heavy on "open web" ideology, although the SWF format was documented by that point and openness doesn't go well with deliberately wiping out a tech that was voluntarily deployed by 80%+ of websites. If openness means anything it means open to extension, which plugins provided and forcing everyone to use HTML5 did not. When they deprecated NPAPI they even sort of admitted to this:
https://blog.chromium.org/2013/09/saying-goodbye-to-our-old-...
"The Netscape Plug-in API (NPAPI) ushered in an early era of web innovation by offering the first standard mechanism to extend the browser. In fact, many modern web platform features—including video and audio support—first saw mainstream deployment through NPAPI-based plug-ins. But the web has evolved. Today’s browsers are speedier, safer, and more capable than their ancestors."
I always found this blog post curiously worded. It has a Fukuyama-style "end of history" vibe to it. Yes plugins boosted innovation because the web platform always lagged years behind, but now the web has "evolved" and the innovation era isn't needed anymore.
I think they just had the focus on features and speed and fps. Not security nor efficency (battery life).
IIRC, they couldn't open source Flash due to its use of a number of 3rd party C/C++ libraries that were proprietary.
Adobe's license with these 3rd parties permitted binary-only distribution so it would have meant renegotiating a fresh license (and paying out $$$) for an EOL codebase that had enormous technical debt, as you also acknowledge in your last sentence.
Did you or, more likely, your phone mistype Adobe? I don’t think Apple ever had the rights to the source or even the source, did they?
Maybe it was the standalone flex player instead of the web Flash player?
I blame the runtime. The quality of the code was good. It was not normal.
A few sources of people complaining about the same, some from hn with the same solution I had to adopt, some from CVE, some from users:
- https://community.adobe.com/questions-638/flash-player-23-24...
- https://advisories.checkpoint.com/defense/advisories/public/...
- https://news.ycombinator.com/item?id=45813026
> The memory leaks were so bad that Adobe advised us to just restart the app periodically
- https://blog.gskinner.com/archives/2005/10/major_flash_pla.h...
(Flash for desktop, with file access)
So what would have taken a day or two back when Flash was available is now taking a week of hand-writing tweens and animations in raw Typescript, one layer at a time.
Since I happened to write the first canvas-based interactive screen graph code that Grant Skinner partially ripped off to create EaselJS, and since I'm sure he's making a fine living from Adobe licensing it, it's especially galling that I'm still paying for a CC license and this is what I get when I want to use a GUI to make some animations to drop into a game.
It's the first time I've done a 2D game since 2017, and I had over a decade of experience building games in Flash/AIR before that. It's just mind-blowing how stupid and regressed Adobe's tooling has become in the past few years, and how much harder it is to do simple things that we took for granted in the heyday of Flash authoring. There really is still no equivalent workflow or even anything close. I guess that post-Flash, there aren't enough people making this kind of web game content for there to be a solid route without using Unity or something.
Pixi is great for anything that is a texture, then it is really fast. Otherwise it is not a flash replacement.
I do not use it for vector animations, but spritesheets or a webm video overlay is what I would use in your case.
But .. it bothers me of course as well, having a full video of rastergraphic what could be just some vector and animation data.
I might try Spine, I've heard some positive things. They'll still end up as textures in pixi but maybe at least they can pack well.
I never really worked with it, but it seems whenever it comes up here or on Reddit, people who did, miss it. I think the authoring side of Flash is remembered very positively.
For a while RIM/Blackberry was using Adobe Air - on the Playbook and also the built-in app suite in the lead up to the launch of BB10. The latter never saw the light of day though, a late decision was made to replace all of the built-in apps with Qt/Cascades equivalents (if I remember right this was due largely to memory requirements of the Air apps).
Silverlight was nice, pity it got discontinued.
Thus it isn't as if the browser plugins story is directly responsible for its demise.
What I find most compelling about this framing is the maturity argument. Browser sandboxing has been battle-tested by billions of users clicking on sketchy links for decades. Compare that to spinning up a fresh container approach every time you want to run untrusted code.
The tradeoff is obvious though: you're limited to what browsers can do. No system calls, no arbitrary binaries, no direct hardware access. For a lot of AI coding tasks that's actually fine. For others it's a dealbreaker.
I'd love to see someone benchmark the actual security surface area. "Browsers are secure" is true in practice, but the attack surface is enormous compared to a minimal container.
For the same reasons given, NPM programmers should be writing their source code processors (and other batch processing tools) to be able to run in the browser sandbox instead of writing command-line utilities directly against NodeJS's non-standard (and occasionally-breaking) APIs.
And today this is.. not sufficient. What we require today is to run software protected from each other. For quite some time I tried to use Unix permissions for this (one user per application I run), but it's totally unworkable. You need a capabilities model, not an user permission model
Anyway I already linked this elsewhere in this thread but in this comment it's a better fit https://xkcd.com/1200/
Unix permissions remain a fundamental building block of Android's sandbox. Each app runs as its own unix user.
Can Binder run on desktop, with some non-mainline kernel? Is someone maintaining such kernel with up to date patches?
Tautology is tautology.
> but Java applets were removed from the browsers
Java applets provided more scope compared to the browser itself, not less. They're not really comparable to seccomp or namespaces.
> hosters who will hand off user account to a shared server
There's lots of CI or function runners that expose docker-like environments.
They are comparable because they provided a restricted sandbox to execute untrusted code.
> There's lots of CI or function runners that expose docker-like environments.
These are running inside VMs.
Java applets were killed off my MS's attempt at "embrace, extent, extinguish" by bundling an incompatible version of Java with IE, and Sun's legal response to this.
Sometimes *nix user accounts for AI agent sandboxing does come up in discussions. At [0], HN user netcoyote linked to his sandvault tool [1], which "sandboxes AI agents in a MacOS limited user account".
Actually seems like a great idea IMO, to be lightweight, generic, and robust-enough.
On http://co-do.xyz/ you can select a directory and let AI get to work inside of it without having to worry about side effects.
The Fily System Access API is the best thing that happened to the web in years. It makes web apps first class productivity applications.
They won’t be first-class as long as native UI still has the upper hand.
Outside those sort of spaces it’s hard to name a popular piece of software still on native that isn’t a wrapped webapp.
To the extent that the battle has been won, the apps it has been won with are nevertheless second-class compared to native-level usability.
Thought these were web wrappers now if you use the latest
> text editors in general
Definitely not in general, VSCode and Cursor are both webtech and are extremely popular. Only terminal editors are native and then beyond that you have things like SublimeText, Textmate which are extremely niche now.
> Java IDEs
Yeah those and XCode I guess, Java IDE is extremely niche compared to webdev.
cough CapCut cough
Firefox and safari are generally very conservative about new api that can enable new type of exploits.
At least firefox and safari does implement origin private file system. So, while you can't edit file on user disk directly. You can import the whole project into browser. Finish the edit and export it.
The Chrome team's new, experimental APIs are a separate matter. They provide additional capabilities, but many programs can get along just fine without since they don't don't strictly need them in order to work—if they would ever even have end up using them at all. A bunch of the applications in the original post fall into this category. You don't need new or novel APIs to be able to hash a file, for example. It's a developer education problem (see also: hubris).
"This" what? sha256sum doesn't need read-write access for even one file to be able to compute a hash, let alone a whole directory. You're ignoring most of my comment, focusing on like 20%, and in so doing, missing (and/or deliberately misframing) 100% of the point.
Yup. That's the link, all right—the one we all read and that I'm citing examples from. Thanks for the reminder, I guess: it has been a whole 8 hours since I first looked at it.
What "we" are talking about here, in this subthread, is the fact that "Browsers have had widespread support for processing files" for a long, long time, and that although "Chrome team's new, experimental APIs [...] provide additional capabilities" which are undoubtedly useful for certain programs, they're overkill and don't offer anything new and/or strictly necessary for many, many programs that don't actually need that sort of access—including "A bunch of the applications in the original post [that] fall into this category. You don't need new or novel APIs to be able to hash a file, for example."
Which is to say, we're talking about POLP/POLA. And the point of my comment was to address the very worthwhile matter of POLA violations. But you seem insistent on shutting that discussion down with chatter that looks like it's an on-topic reply or refutation to something, but in reality doesn't actually meaningfully engage with what you're purporting to respond to, or at best comes come across as confused and not particularly attentive.
There are already and will continue to be plenty of opportunities to discuss the acknowledged upsides of the new APIs for the class of programs for which they are strictly necessary. There's a lot of them in this very comment section. It doesn't have to come at the expense of changing the subject in the middle of a different conversation—accompanied by undertones that you're putting some matter to rest.
mg: This is a great example of how useful the File System Access API is ...
auggierose: the API is not supported (yet?) either by Safari or Firefox
you: describes the current situation with cross-browser file input support, says it's a "developer education problem"
me: this specific use case really does need the full API
It read to me, and still does read to me, like you were saying that Kinlan's use of FSA was hubris.
> I agree we're talking past each other
You're exactly half right.
Let's make this dead simple: does anyone need any of these new APIs to compute the SHA-2 hash for a file? A simple answer will do. Simple, non-evasive, no "look thither" misdirection.
Sir…?
Not that I'm not excited about the possibilities in personal productivity, but I don't think this is the way--if it was, we wouldn't have lost, say, the ability to have proper desktop automation via AppleScript, COM, DDE (remember that?) across mainstream desktop operating systems.
I have a DDE book somewhere, with endless pages of C boilerplate to exchange a couple of values between two applications on Windows 3.x.
If not using WinUI 3.0, or Windows ML with CoPilot+, there is no reason to submit oneself to the pain of using CsWinRT or C++/WinRT bindings with lesser tooling than their UWP counterparts.
The large majority of new APIs, since Vista are based on traditional COM, with the biggest exception being UMDF that in version 2.0 rolled back its COM API from version 1.0, back to a C based one.
1) webcontainer allows nodejs frontend and backend apps to be run in the browser. this is readily demonstrated to (now sadly unmaintained) bolt.diy project.
2) jslinux and x86 linux examples allow running of complete linux env in wasm, and 2 way communication. A thin extension adds networking support to Linux.
so technically it's theoretically possible to run a pretty full fledged agentic system with the simple UX of visiting a URL.
My eventual goal with that is to expand it so an LLM can treat it like a filesystem and execution environment and do Claude Code style tricks with it, but it's not particularly easy to programmatically run shell commands via v86 - it seems to be designed more for presenting a Linux environment in an interactive UI in a browser.
It's likely I've not found the right way to run it yet though.
I see the datestamp on this early test https://fingswotidun.com/tests/messageAPI/ is 2023-03-22 Thinking about the progress since then I'm amazed I got as far as I did. (To get the second window to run its test you need to enter aWorker.postMessage("go") in the console)
The design was using IndexedDB to make a very simple filesystem, and a transmittable API
The source of the worker shows the simplicity of it once set up. https://fingswotidun.com/tests/messageAPI/testWorker.js in total is just
importScripts("MessageTunnel.js"); // the only dependency of the worker
onmessage = function(e) {
console.log(`Worker: Message received from main script`,e.data);
if (e.data.apiDefinition) {
installRemoteAPI(e.data.apiDefinition,e.ports[0])
}
if (e.data=="go") {
go();
return;
}
}
async function go() {
const thing = await testAPI.echo("hello world")
console.log("got a thing back ",thing)
//fs is provided by installRemoteAPI
const rootInfo = await fs.stat("/");
console.log(`stat("/") returned `,rootInfo)
// fs.readDir returns an async iterator that awaits on an iterator on the host side
const dir = await fs.readDir("/")
for await (const f of dir) {
const stats = await fs.stat("/"+f.name);
console.log("file " +f,stats)
}
}
It wouldn't take too much to have a $PATH analog and a command executor that launched a worker from a file on the system if it found a match existed on the $PATH. Then a LLM would be able to make its own scripts from there.
It might be time to revisit this. Polishing everything up would probably be a piece of cake for Claude.
Isn't webcontainers.io a proprietary, non-open source solution with paid plans? Mentioning it at the same level of open source, auditable platforms seems really strange to me.
https://developer.chrome.com/blog/persistent-permissions-for...
On my desktop Chrome on Ubuntu, it seems to be persistent, but on my Android phone in Chrome, it loses the directory if I refresh.
That said. It's a good start.