Brave Complains Google's Newly-Proposed 'WebBundles' Standard Would 'Make URLs Meaningless' (brave.com) 169
"Google is proposing a new standard called WebBundles," complains Brave's senior privacy reseacher. "This standard allows websites to 'bundle' resources together, and will make it impossible for browsers to reason about sub-resources by URL."
This threatens to change the Web from a hyperlinked collection of resources (that can be audited, selectively fetched, or even replaced), to opaque all-or-nothing "blobs" (like PDFs or SWFs). Organizations, users, researchers and regulators who believe in an open, user-serving, transparent Web should oppose this standard...
The Web is valuable because it's user-centric, user-controllable, user-editable. Users, with only a small amount of expertise, can see what web-resources a page includes, and decide which, if any, their browser should load; and non-expert users can take advantage of this knowledge by installing extensions or privacy protecting tools... At root, what makes the Web different, more open, more user-centric than other application systems, is the URL. Because URLs (generally) point to one thing, researchers and activists can measure, analyze and reason about those URLs in advance; other users can then use this information to make decisions about whether, and in what way, they'd like to load the thing the URL points to...
At a high level, WebBundles are a way of packing resources together, so that instead of downloading each Website, image and JavaScript file independently, your browser downloads just one "bundle", and that file includes all the information needed to load the entire page. And URLs are no longer common, global references to resources on the Web, but arbitrary indexes into the bundle. Put differently, WebBundles make Websites behave like PDFs (or Flash SWFs). A PDF includes all the images, videos, and scripts needed to render the PDF; you don't download each item individually. This has some convenience benefits, but also makes it near-impossible to reason about an image in a PDF independently from the PDF itself. This is, for example, why there are no content-blocking tools for PDFs. PDFs are effectively all or nothing propositions, and WebBundles would turn Websites into the same.
By changing URLs from meaningful, global identifiers into arbitrary, package-relative indexes, WebBundles give advertisers and trackers enormously powerful new ways to evade privacy and security protecting web tools... At root, the common cause of all these evasions is that WebBundles create a local namespace for resources, independent of what the rest of the world sees, and that this can cause all sorts of name confusion, undoing years of privacy-and-security-improving work by privacy activists and researchers...
We've tried to work at length with the WebBundle authors to address these concerns, with no success. We strongly encourage Google and the WebBundle group to pause development on this proposal until the privacy and security issues discussed in this post have been addressed. We also encourage others in the Web privacy and security community to engage in the conversation too, and to not implement the spec until these concerns have been resolved.
The Web is valuable because it's user-centric, user-controllable, user-editable. Users, with only a small amount of expertise, can see what web-resources a page includes, and decide which, if any, their browser should load; and non-expert users can take advantage of this knowledge by installing extensions or privacy protecting tools... At root, what makes the Web different, more open, more user-centric than other application systems, is the URL. Because URLs (generally) point to one thing, researchers and activists can measure, analyze and reason about those URLs in advance; other users can then use this information to make decisions about whether, and in what way, they'd like to load the thing the URL points to...
At a high level, WebBundles are a way of packing resources together, so that instead of downloading each Website, image and JavaScript file independently, your browser downloads just one "bundle", and that file includes all the information needed to load the entire page. And URLs are no longer common, global references to resources on the Web, but arbitrary indexes into the bundle. Put differently, WebBundles make Websites behave like PDFs (or Flash SWFs). A PDF includes all the images, videos, and scripts needed to render the PDF; you don't download each item individually. This has some convenience benefits, but also makes it near-impossible to reason about an image in a PDF independently from the PDF itself. This is, for example, why there are no content-blocking tools for PDFs. PDFs are effectively all or nothing propositions, and WebBundles would turn Websites into the same.
By changing URLs from meaningful, global identifiers into arbitrary, package-relative indexes, WebBundles give advertisers and trackers enormously powerful new ways to evade privacy and security protecting web tools... At root, the common cause of all these evasions is that WebBundles create a local namespace for resources, independent of what the rest of the world sees, and that this can cause all sorts of name confusion, undoing years of privacy-and-security-improving work by privacy activists and researchers...
We've tried to work at length with the WebBundle authors to address these concerns, with no success. We strongly encourage Google and the WebBundle group to pause development on this proposal until the privacy and security issues discussed in this post have been addressed. We also encourage others in the Web privacy and security community to engage in the conversation too, and to not implement the spec until these concerns have been resolved.
Shocking! (Score:5, Funny)
Re:Shocking! (Score:5, Insightful)
It's been doing this since imposing SSL on all websites while stifiling HTTP2 by not allowing unencrypted HTTP2, and then turning around and imposing it's own alternative to http1.1, and kept doing it with WASM (which everyone should turn off immediately)
While I can see some reason to enable SSL, it basically doubled the CPU requirements of most websites that served static content that didn't need SSL, and completely obliterated the cacheability and CDN network performance.
It's really a pity that Microsoft decided to adopt chromium instead of maybe just straight up adopting Safari's Webkit.
Re: Shocking! (Score:2)
Re: Shocking! (Score:3, Insightful)
Re: Shocking! (Score:2)
10,000 TLS vs HTTP connections is so trivial of a difference that the major CDN providers donâ(TM)t even bother charging a different rate from normal HTTP.
Re: (Score:2)
10,000 TLS vs HTTP connections is so trivial of a difference that the major CDN providers donâ(TM)t even bother charging a different rate from normal HTTP.
It is pretty silly to presume that implies that they cost the same amount to serve. The implication is that they have the same value to their customer, perhaps because their customers wouldn't tolerate a price difference. Nothing is implied about the overhead.
Re: (Score:2)
The overhead is minor enough that no-one offering truly massive traffic loads even bothers to upcharge for HTTPS. This is well-established territory.
Re: (Score:2)
If you are handling 10,000 concurrent connections you have one of the largest sites on the internet and not just one server, a large number of redundant servers. Handling 10,000 non-encrypted connections is no joke, and if you need to do that chances are your service is valuable enough that it should definitely be encrypted.
Remember that it's not just your needs being considered here, it's the needs of your users, or perhaps your cattle if you are providing a """free""" ad-supported service.
It's really a no
Re: (Score:2)
He's not talking about load on the client system, he's talking about the server. One transfer being HTTPS rather than HTTP isn't a big deal. A few hundred add up fast.
Free funny cat videos don't require encryption.
Re: Shocking! (Score:3)
You have no idea what you are talking about. As someone who has to deal with cache invalidation regularly, I can emphatically assure you SSL does not eliminate caching.
What SSL has done is limited the ability to man in the middle attacks. ISPs have implemented DNS hijacking for advertising purposes, and some had started doing inline ad replacement, which means they could also do inline content replacement. SSL prevents that particular kind of abuse by ISPs.
Re: (Score:3)
Re: Shocking! (Score:2)
What on Earth makes you think static content takes anywhere near as much CPU as TLS? Go do some performance tests for yourself.
It matters a lot how the resources are being loaded, but worst care scenario (site serving a single resource to each user) the impact of TLS is going to be huge relative to static content.
Re: (Score:2)
Why is WASM bad, or at least worse than obfuscated Javascript?
Re: (Score:2)
In a way, Isn't WASM the equivalent of WebBundle for Javascript?
Re: (Score:2)
No it's completely different.
Re: (Score:2)
Re: (Score:2)
Up until relatively recently, about 5 years ago, budget-level Intel chips like Celerons and Pentiums did not all have Intel AES-NI.
Many people still use those. As a matter of fact, I use one as a small home server. It's a Pentium 3805U [intel.com]. I obviously got it because it was cheap, but it's low power and does the job. Sure, I use it as a server, but most people would use that machine as a surf 'n office computer.
Since it doesn't have AES-NI, encryption will be slower by definition. T
Re: (Score:2)
Re: Shocking! (Score:2)
I know you like the fun of keeping that old clunker running, but the electricity cost alone outstrips similar dedicated EC2 capacity at AWS.
Your hobby project does not linearly scale to high-traffic sites, nor is your hobby setup common outside of other similar hobbyists.
Iâ(TM)ve been working in this space for 20 years, what was difficult and costly 10 years ago is one or two clicks with no extra costs today.
Warm My Globe (Score:2)
Re: Warm My Globe (Score:2)
So, Google Cloud CDN, Amazon S3, ClouldFlare, jscdn, and all the others are insecure because they don't authenticate you? Yeah, sure...
Re: (Score:2)
So, Google Cloud CDN, Amazon S3, ClouldFlare, jscdn, and all the others are insecure because they don't authenticate you? Yeah, sure...
It's not you (the client) that needs to be authenticated. And your browser does authenticate connections to all of those.
Re: (Score:2)
It's the other way around. You need to authenticate them before running code that they (apparently) sent you.
In the other direction, you're sending them data and they do need to be very careful about how they handle it, since even seemingly inert data may be malicious, but at least they're not directly executing code provided by unauthenticated users. They also spend much more on network security than the average home Internet user. And even then we still hear stories about people breaking into servers by t
Re: (Score:2)
Re: (Score:2)
Thanks for the explanation. I understand; even if I type in the same weather URL over and over, a man-in-the-middle can cause me grief. Of course, that's what we get when we make the browsers/other software capable of doing "anything". It's not turtles all the way down, it's BAND-AIDs!
I don't agree that it's band-aids. We have taken a risky path by building out infrastructure for executing remotely-downloaded code on a regular basis... but it's an incredibly flexible and powerful paradigm, as evidenced by the explosion in use of the web and web apps. On balance, and given some mitigations (like TLS) to make it possible to execute only code from reasonably-trustworthy sources, I think it's a good choice. And I say that as a security engineer.
Re: (Score:2)
Instead, there is the constant, extra, energy expense, the pricey labor costs to deal with it all (from embedded devices up to server farm
Re: Shocking! (Score:3)
So what if someone MITM's my TXT file filled with ASCII memes?
Re: Shocking! (Score:2)
Who cares if they send me something else? The worst that happens is my memes don't appear and maybe my text editor locks up trying to pen a large binary file. Who cares?
Re: (Score:2)
Who cares if they send me something else? The worst that happens is my memes don't appear and maybe my text editor locks up trying to pen a large binary file. Who cares?
No, the worst thing that happens is they send you a browser exploit that takes over your machine and either hoovers up everything, or adds your machine to a botnet, or uses your box for bitcoin mining, or turns it into a Tor node that serves up kiddie porn, or uses it to store stolen data, or...
Oh, and they'll probably show you your memes also, so you won't notice that anything weird happened.
Re: Shocking! (Score:2)
TLS doesn't protect you from browser exploits. If MS sends me an exploit over TLS it's just as effective as someone else sending a browser exploit with no transport security. That needs to happen at a different layer. More layers of security are always good, but in that care everyone should be using client certificates.
Re: (Score:2)
TLS doesn't protect you from browser exploits.
TLS protects you from browser exploits by man-in-the-middle attackers.
If MS sends me an exploit over TLS it's just as effective as someone else sending a browser exploit with no transport security.
Sure, but which is more likely, that MS sends you an exploit or that a shady coffee shop does? Or some other hop between you and MS? You don't have any idea who all of those people are. Also, if you use Microsoft's OS, browser or other software, you're already completely and utterly exposed to malicious acts by MS. TLS protects you from other risks that you aren't already fully embracing.
That needs to happen at a different layer.
Which other layer, and why is it better there?
More layers of security are always good
This
Re: Shocking! (Score:2)
What if every 3rd request your ISP sent you an ad instead?
This isnâ(TM)t fiction, ISPs have dynamically rewritten HTTP payloads to inject ads.
Re: WindBourne will be along soon (Score:4, Insightful)
Look, grow up and stop bringing teenage internet drama into an unrelated topic by spamming a reply on the first post. We all know that's what you're doing.
Re: (Score:2)
Yeah, you're responding to the wrong person there. I didn't say anything about moderation. I just asked people to stop spamming off-topic replies on first posts.
Congratulations Google! (Score:2, Informative)
You just invented the .mht file!
this is indeed a bad thing ... (Score:5, Insightful)
but was bound to happen. however it's a bit appalling how stupid the pr is:
- Create your own content and distribute it in all sorts of ways without being restricted to the network
- Share a web app or piece of web content with your friends via Bluetooth or Wi-Fi Direct
- Carry your site on your own USB or even host it on your own local network
can't i do exactly the same right now? and this comes from the warriors of 'on demand and fast initial loading'?
Re: (Score:3)
You could certainly zip up all the resources needed to do that but chances are the site will break if you do. Non-relative links won't work and lack of any way to sign the content means that it's both open to malware and distrusted by default by most browsers.
WebBundles can be signed to ensure authenticity. Sharing locally is not very useful in the West but in developing nations where internet access is not universally available it has uses.
Bad practice (Score:3)
You could certainly zip up all the resources needed to do that but chances are the site will break if you do.
The main cause of this problem is bad coding practice with most webapp devs having an seemingly irresistible urge to transform anything they touch into a giant katamari that needs to pull a zillion of javascript libraries from all over the internet (bonus point if a certain javacsript libraries shows up as a dependency of several of the pulled ones, but each requiring an incompatible different version).
Non-relative links won't work
...but are usually correctly handled by a lot of the various slurpers/crawlers/"Save to..." browser's opti
Step #13342 (Score:4, Funny)
Brave makes a very good point. (Score:5, Insightful)
Disclaimer: Professional Senior Web Developer here.
I am highly sceptical of bloating the web further. WebAssembly is a good thing, webm is a good thing and Google deserves credit for that. However, I see nothing complex that this solution offers that can't be done with HTTP 2 Push, which we already have. I also really like the fact that despite all the VDOM bloat we have to deal these days I can still just push out clean HTML with some well built CSS and have a website that looks and runs neat and doesn't rack up 4MB per pagecall. I have a very strong suspicion that this bundle stuff Google is proposing will push the stupid web projekt managers to bloating the web even further and I don't like it.
Bottom line: I'm highly sceptical of this Google addition to the web and side with Brave on this one.
Re:Brave makes a very good point. (Score:5, Insightful)
WebAssembly was a mistake. The web should not be a collection of poorly optimized pseudo-compiled binaries running in the web browser, as it's been almost entirely abused by cryptominers and malware.
HTTP2 should have been rolled out with both encrypted and unencrypted modes as standard, but instead browsers only implemented half of it, and then google decided to roll out it's own alternative anyway.
Google is quickly hijacking "the web" for it's own purposes and we're already in a state of "works best or only on chrome", which harkens back to "works best on MSIE 4.0 or Netscape 4.0" of 1999
Re:Brave makes a very good point. (Score:5, Insightful)
Overall as I see many of these changes as being attempts to prevent evasion of serving of ads through adblockers.
Re: (Score:2)
Duh, it's Google, what did you expect?
Re: (Score:3, Informative)
Stopped reading after "I agree overwhelmingly to a majority of both your comments @kisai I haven't thought it all through, but really quickly let me be devil's advocate here".
If you want people to read your comments, get to the actual point quickly, and use paragraph breaks to show that you have thought about how your ideas group together. Also be more careful with your punctuation; leaving out periods or commas only highlights that you didn't think it all through, making your comment less credible.
Re: (Score:2)
Here's the point: you should kill yourself as painfully and efficiently as possible. Favor pain over efficiency if those clash.
Re: (Score:2)
I am posting this comment from my phone. I've never had problems with line breaks on it.
And it's not my loss to skip over a half-reasoned wall of text.
Re: (Score:2)
I see nothing complex that this solution offers that can't be done with HTTP 2 Push, which we already have.
Well, there's the fact that even with HTTP 2 Push you're managing multiple requests between client and server, for each page let alone multi-page browsing.
With this new thing you're able to have just a single request, substantially reducing the impact of latency albeit at cost of additional overall bandwidth use.
But the real difference is that Google will be able to deploy all of their spyware, tracking and adverts from the initial request. I can see why they like this.
Re: (Score:2)
I've read through the entire linked GitHub issue and I agree, Brace is right. Surprising considering their attitude to scamming users with crypto currencies and slyly inserting referral URLs into links.
The main issue is that there is no hard, mandatory link between the URL of a resource on the server and the URL of the same resource in the bundle. For for example if you have coin-miner.js on the server it can be renamed to ds87y87fsdha.js in the bundle, making it much harder to block.
Someone from Google arg
Solution: (Score:5, Insightful)
All they really need to fix all this is to require a "point of origin" URL for each component of the bundle for where you can download the identical file. If the point of origin data doesn't match then the domain serving the bundle should be marked as a malicious website and should be delisted from search engines.
They could do this but won't because the entire point is to bypass ad blocking.
Come on, we've seen this coming a mile away (Score:5, Interesting)
Google's goal is identical to Facebook's. Google never, ever wants you to leave the Google-sphere. Having "bundles" is just one step away from Google grabbing those bundles from your website and serving their copy to other people, direct from a Google server.
Read people's comments about why AMP really exists. Read people's comments about every other web move Google has proposed. At this point, this shouldn't be shocking to anyone.
Re: (Score:2)
Google's goal is identical to Facebook's. Google never, ever wants you to leave the Google-sphere. Having "bundles" is just one step away from Google grabbing those bundles from your website and serving their copy to other people, direct from a Google server.
Exactly. This is the logical extension of their campaign to suppress the URL in Chrome [slashdot.org]. Who needs URLs if everything is served from Google's servers?
The web is dying anyhow. We need alternatives. (Score:3)
I mean seriously, the number of web browser engines is shrinking year by year. Mozilla will probably give up on their own engine eventually as they see to have very little interest on sustaining a diverse web ecosystem. While browsers have code that is free by license, they are unfree by complexity as single persons of small groups are unable to make meaningful changes.
Perhaps what we should do now is to invent and evaluate potential alternatives. For example, what happens if we add multimedia extensions to terminal standards? The 1980s Videotex standards, for example, included provisions to multiplex multiple data streams into your terminal. This way you could re-define your characters, transmit vector graphics, photographic information or even sound. This is done by using the "Unit Separator" character $1f followed by a character that defines the stream. This way we could for example define a "video" endpoint. It could include commands to define or change the area in fractional character cells which would be used as a canvas, and it could then send a video in chunks over the connection. If you add responses you can easily estimate the connection bandwidth and send lower bandwidth video.
Re: The web is dying anyhow. We need alternatives. (Score:2)
The "web is dying" because it's being poorly managed, both by site operators and those who write web browsers.
The same thing will happen to what you propose because all of the mis management will still be there.
The underlying technology of today's browsers is quite sound, but it's being misused.
oh well (Score:3)
And so it begins (Score:5, Interesting)
Here comes that sudden "WOOSH!" down that slippery slope we have been sliding on. Bye bye freedom loving internet, bye bye any user control over crapware and unwanted Javashit annoyances, just bye bye to the internet as we know it.
Welcome to the 100% controlled by THEM and 0% controlled by you internet. You will have a king, and you do only what the king allows or commands you to.
Now it's clear. Googles "Do no evil" was a ruse. They never had the intent of NOT being evil.
Re: (Score:2)
Well, it's not different from the app-centric universe of mobile. There are relatively few things that can be done with an app and cannot be done with a web site, and even less if you added some extensions to the browser. But you will see everybody and their mom too pushing you towards their app instead of their web site. That is because that gives the control to them instead of you. Everybody fights for control, that's understandable. So I expect that new standard of Google to be openly embraced by all sup
Re: (Score:2)
And yet we are "babyfied" regardless. This is a very common narrative in the computer industry as of late: Treat users like they are stupid or infantile, and restrict them as such.
This has got to stop. These companies are not God, they are not unstoppable forces, and we need to stop letting them treat users as retards and just something to milk money out of.
Re: (Score:3)
"Users are stupid and infantile. If you want to make money, you have to restrict them as such or nothing will work. It won't stop."
So because SOME users are stupid and infantile, everybody has to pay the price? And why do I have to be put in restraints in order for someone else to make money? Sorry, I don't exist to make YOU or anybody else money and fuck anybody who dare tries.
And what you are suggesting is a return to the feudal lord/serf way of doing things.
This post you wrote has got to
Re: And so it begins (Score:2)
"Just saying, that's how the world works. People like to make money"
At the expense of everybody else. I'm not going to give up my freedom because of the "most people" excuse, or whatever bullshit they try to befuddle me with.
We are not their slaves, and I hope that the populace will snap out of the spell that companies have them in as they continue to slip shackles, diapers, and ball gags on everybody and fight back. They have NO RIGHT to subvert my freedom, I don't care how good of a mealy mouth ma
Re: And so it begins (Score:2)
And finally, and this is THE biggie: Why should I have to TRUST THEM? Who died and made them the moral guardians of the universe?
Re: (Score:2)
Now it's clear. Googles "Do no evil" was a ruse. They never had the intent of NOT being evil.
It probably was legit at the time; but, like many a public company, the desire for ever increasing profits made it easy to drop that one quickly. Seems common for companies to lose their founding principles when they go public or become too large.
Re: (Score:2)
Microsoft was much harder to leave or ignore 20+ years ago. From things like the government serving up documents in Word format without much in the way of alternatives to read them to installing Win95 and at the end of the install, getting told that what was on the hard drive on other partition was now permanently gone (2 minutes with fdisk brought it back if you knew how) to web sites that only worked with IE. Almost got stuck with MSN instead of the internet too.
Google can mostly be blocked by some hosts
Re: And so it begins (Score:2)
"boght into it. Unfortunately Google today is no longer the Google of yesterday."
I really wish there was a law that forced companies to change their name whenever they "go over to the Dark Side"
"Momma's Fresh Baked Cookies" used to make fresh baked cookies. Now they have converted their factory over to making Zyklon B tablets to sell to evil dictators around the world to use against their own countrymen. Yet they still call themselves "Mamma's Fresh Baked Cookies". Is this acceptable?
(Yes, an extreme exampl
Re: (Score:2)
True, but too late. (Score:3)
I can see those problems, too. But in the end, what's the difference between those bundles and including resources and scripts into the HTML page a base 32 encoded resource? Our developing your website as single page application? Probably even with that meta data that makes it behave like a native app in your phone app launcher or your desktop machines start menu
Re: (Score:2)
Re: (Score:2)
And no matter if you access it with a service worker or that new web bundle, you need a way to address a single resource in the bundle. and if you do that with an anchor, you still have standard urls.
Re: (Score:2)
The concern AIUI is that the WebBundle format allows the bundle to contain pseudo-responses for any URL, not just paths relative to the bundle. If the URL of a resource referenced by the bundle matches a response packaged into the bundle then that pseudo-response is used without ever making a request to the original server. This is great if what you want is an archive of a specific session. It's less great if you think that a page that explicitly references example.org should actually get its content from e
Do No Evil.. (Score:4, Insightful)
A move against ... (Score:3, Insightful)
Re:A move against ... (Score:5, Insightful)
Re: (Score:2)
You get those flashy ads because you have no profile for targeted ads, which tend to be less flashy.
Wait until you see the bundle I have for you (Score:3)
after a 60GB download of a bundle, it will display a smiley face. Just that.
Re: (Score:2)
Embrace, Extend, ... (Score:3)
Guess what's next on Google's agenda
Evading privacy & security is the point (Score:5, Insightful)
People keep forgetting that Google is an advertising company. Their analytics engines works at a macro level and can handle these "bundles" just fine. However people will not be able to do so. There is simply to much for the average person to put together in a reasonable period of time to mess with. I wonder if psychologists had a hand in guiding that aspect.
Now you have a standard that will effectively get ahead of most advertising blocking tools for a while. More to the point it will notably slow down the speed and efficiency with which they operate. At a minimum companies that make advertising blockers will have to retool their programs to catch up with the new standards. Even once they have retooled they will never be as efficient due to having more to process. This means that people will be more apt do disable to ad-blockers out of annoyance on how long it takes their web page to load.
Unfortunately this will also impede a lot of organizational and privacy security tools as well. Google doesn't care as they fall under collateral damage. This new standard offers zero benefit to the public at large. The standard endangers the public by degrading their security and privacy tools. Malvertising is certainly one of the most popular means of distributing malware via ad networks. Poor to shoddy standards around the advertising market have already made this a large issue. The use of this new standard would drive this problem through the roof.
https://arstechnica.com/inform... [arstechnica.com]
This standard benefits Google, advertisers, marketers and those in the malware business. The new standard is a security and privacy risk to everyone else.
Brave isn't brave (Score:3)
>"Brave Complains Google's Newly-Proposed 'WebBundles' Standard Would 'Make URLs Meaningless'"
Brave allows their browser to be controlled by Google because they base it on Chromium, just like every other multiplatform browser that isn't Firefox. This makes it yet another "Chrom*". And this gives Google the power to control more and more. And then they want to complain about Google doing such things? Here is your revelation: Having control over your browser's alias name and some control of the UI doesn't give you much control.
Re: (Score:3)
[Problems with Slashdot going offline this morning, and the rest of my posting was lost, so reply-to-self with the rest]
>"We've tried to work at length with the WebBundle authors to address these concerns, with no success."
So, they are finally realizing that there really is nothing community-driven about Chromium? That de-facto "standards" aren't really standards? Everyone has handed Google this power- the users who use Chrom* and the non-Firefox browser "developers" who based or switched their engines
Google wants to make you see ads. (Score:5, Insightful)
With the Chrome rendering engine... (Score:3)
plan (Score:2)
2) get traction
3) remove point one from your plan
4) do evil to avoid ad-blocking
5) profit!
Might not be so bad (Score:2)
I see a lot of negative comments. Google bashing may be well deserved in general, but this idea has some merit and should be explored. Making web pages into self-contained files could gain many benefits of pdfs. (However, pdf for all its ills still has a much simpler, more stable file format.)
Today, most websites think they need to connect to 20 or more other sites. Most of these other sites serve up ads and tracking beacons. Moving towards "one site = one connection = one file" would clean up this mes
PDF reader can be browser (Score:2)
downloading a bundle instead of discrete elements could be more efficient, or it could be a nuisance, depending on your needs.
sites deploying bundles only would probably be forced to provide discrete elements also, simply through demand pressure.
furthermore, Brave and the slash/editor seem to forget that a PDF reader can be a browser too, and is equally capable of discerning and making choices about what to display, and how to display it - IF we take the time to improve the reader code.
this will probably ha
Re: (Score:2)
Flash Is Dead! Long Live Flash! (Score:2)
And Java. And anything else that requires runtime support to display something in a browser. It's been tried many times. It's very beneficial for people who want to use massive web and system resources for anything from pretty pictures and fades to privacy mining to outright malware. Now that we have HTML5 it's not very beneficial to actual users.
I would partially disagree with lumping PDF into the group. Many browsers now open PDF in the browser. If properly sandboxed, that's marginally OK. PDF can also be
This particular barn door has been open (Score:2)
... for quite some time. URLs are as meaningful or meaningless as content owners want them to. You can reason very well about https://example.com/memes/2020... [example.com] and all is fine and dandy, but absolutely nothing prevents the same content from being served to you as https://example.com/assets/dcb... [example.com] â" valid only for the duration of your session. Others will receive the same asset under totally different names. Go reason about that. These web bundles break nothing that is not already broken.
So, defeat all adblockers? (Score:2)
That's what this sounds like. Hey Google, why not just encrypt it all with a proprietary algorithm while you're at it, so no one can even SEE what the content is until it's on the screen?
Fuck you, Google. Kill yourselves, and let someone run Google who believes in 'Do No Evil' again.
Something akin to this has existed for a while. (Score:2)
IPFS has in a sense created web-bundles already.
IPFS is based on numerical hashes to identify files, the authenticity part is built in.
No particular server has to hold it, you can add it to your own machine and never go online again if you like.
One of the best examples of this that comes to mind is "Atari 2600 + IPFS". It's a web page - with every Atari 2600 ROM and an emulator. It's not hosted in any particular place, if you know "QmacAqRVhJX9eS7YJX1vY3ifFKF9CduDqPEgaCUSa4x5xb" you can grab the "module"
fixed that for you (Score:2)
Sooo... what you're saying... (Score:2)
is that this is exactly like Microsoft bundling all of their security patches together so you can't pick and choose what you want to get or exclude, including those telemetry (er, customer experience and compatibility test suites)?
amiright?
Re:Brave (Score:5, Insightful)
Given that the CEO, Brendan Eich, is openly and proudly homophobic, should we even trust anything Brave wants?
Nice ad hominen there...
He might even be a raging Nazi, that doesn't make his message any less true.
Re: Brave (Score:4, Insightful)
Re:Brave (Score:5, Funny)
He might even be a raging Nazi
Brendan Eich is much much worse than a homophobic Nazi: He created JavaScript.
JavaScript creation [wikipedia.org]
Re: (Score:2)
javascript in web pages is a crime against humanity.
code and data should be separate, not mixed - that's a horrific form of miscegenation that will lead to the downfall of civilisation.
Re: (Score:2)
trump isn't responsible for all crimes against humanity, just some of them.
Re: (Score:2)
Ad hominem is a fallacy that can be applied in a logical argument, I don't see that such an argument was being made there. What I see is a judgement of character being made, and I found the post useful in that regard. I'd barely heard of "Brave" before, now I know what kind of person is running it, plus an example of something shady they've done.
Besides, the hominem was already introduced as the first word in the headline. They could have chopped "Brave Complains" off the front and kept focus on the
Re: (Score:2)
He is not afraid of homosexuals. He just thinks they shouldn't be allowed to get "married" the same as normal people. There are many reasons to dislike Brendan Eich, but this is not one of them.
Yes, yes it is. Also a reason to not like you. "Normal people" ? Seriously?
Prop 8 - gay marriage (Score:3)
Re: (Score:2)
what types of ideas does a community like Slashdot have
Slashdot isn't where good ideas come from. Slashdot is an internet backwater where you watch an older cohort of interneteratti try to cope with their conflicted feelings about Goggle, on one hand, trying to sew up the future of the web with their advertising schemes and Brave, run by a previously cancelled conservative, being the leading voice of opposition.
And no, I don't have a better alternative.
Re: Now I'm curious (Score:2)
"unless you use Chrome or allow scripts from domains that serve ads or track activity? How do you explain your position to your peers, friends, and bosses?"
Damn, I see the huge anti-trust sledgehammer slamming down on Google for this, not to mention the shit they will get from every government on the planet.
Google is going to get themselves hurt bad by pulling this stunt. They need to drop this whole GOL idea (Google On Line) for their OWN sake.