Over-powered browsers
---------------------

(preface: this entry took a few painful days to write, and I'm not terribly
happy with it, but I've uploaded it anyway to keep the phlog alive.  This is
exactly the kind of lang, rambling thing I've tried to write in the past and
given up on.  It's precisely the thing this phlog is *not* supposed to be, but
alas.  Read on if you dare)

In the beginning, web browsers did one thing and (presumably) did it rather
well.  They rendered HTML, in some primordial form, which is to say that they
laid text and, very occasionally, images out on the user's screen.

(aside: I suppose I'm basically assuming what browsers were like in the
beginning.  As best as I can recollect, I first used a web browser in 1995 or
1996.  I was 10 or 11 years old at the time, and I don't know which browser I
actually used.  I do know that later in the 90s I was squarely a Netscape
Navigator or Communicator user, but My First Browser eludes me.  Which is
frustrating, because it's possible I actually used the infamous Mosaic, but I'll
never know)

Nowadays web browsers are basically sandboxed program execution environments for
running Javascript programs or doing various things which HTML 5 provides for,
like streaming video, persisting data to the hard drive, etc.

At this point you are presumably expecting me to burst forth into angry
insistence that the way it used to be is the One True Way and that the current
state of affairs is The Worst Thing Ever.  And if you have a very good memory,
you probably recall that in an earlier phlog entry ("Web apps are houses built
on sand") I said some unequivocally positive things about web apps (i.e.
Javasript programs) providing a cross-platform development environment, and are
wondering if this is the entry in which I reveal myself to be a hypocrite.

Well, not quite.

Web apps *are* nice in a lot of ways, for many applications.  My primary beef is
not so much that the computational capacity of the browser as a platform has
increased, but that this capacity is used indiscriminately and irresponsibly.

Let's go back to our hypothetical (probably not too wrong) Primordial Browser
that renders HTML 1.0 and puts text and graphics on a page with relatively
minimal flair, and let's assume that it's running on a modern high speed
internet connection.  This browser has a lot of nice properties, but perhaps what
it boils down to is a complete lack of surprise.  When you click on a link in
this browser, you can fairly well assume that:

* Your CPU usage will increase a little, but not too much, for a fairly brief
  time (i.e. a few seconds).
* Your RAM usage will do the same.
* In general, the consequences of your clicking, in terms of resource
  consumption, will be minimal and shortlived.
* It is incredibly unlikely that your browser will crash during this time.
* The entity hosting the website you clicked a link to will learn nothing about
  you beyond the information your browser inserts into the headers of its HTTP
  request.

If the browser has been written by smart people, is well tested and has been
debugged, then the above are true even if the HTML of the page you clicked a
link to has been written would really rather they were not true, or by people
who do not know what they are doing.  The narrow scope of the browser's
capabilities presents a very small "attack surface" to either malicious or
well-meaning but incompetent webmasters.  Because there is no possibility of
surprise, there is no requirement for trust.  You can click around with abandon,
because what's the worst that could happen?

Compare this to the situation that actually obtains today.  On a machine with a
Core i5 or i7 CPU and multiple gigabytes of memory it is not only entirely
possible but a *far from rare* occurrence for a website to cause CPU usage to
spike to nearly 100% and stay there long enough for a laptop's fans to kick in
at high speed.  Memory consumption for long-running browser processes are
measured in hundreds of megabytes if not gigabytes.  Browsers can feel quite
slugish and slow to respond to user input, and a single very busy website can
bring a system to its knees, at least temporarily.  Even if a website seems to
be fast and responsive, the real truth is that you have no idea what it's
actually doing.  I recall reading at one point about a browser history sniffing
exploit where a website could learn which other sites you had visited by virtue
of the behaviour of browsers whereby visited links are coloured purple rather
than blue - evidently Javascript provides the ability to interrogate the browser
about the colour of various elements in the document.  This is an example of a
website harming a visitor using an unexpected consequence of a behaviour which
there is no compelling reason to be possible in the first place.  In short,
there is tremendous scope for surprise and thus you are necessarily placing a
great deal of trust in the entity behind every page you visit.

I would argue that fast, resource-light and trust-free browsing is A Good Thing.
Unfortunately, it is basically a relic of a bygone era, because these days 99%
of websites are laden with superfluous Javascript and advaned HTML features,
even if they are not at all strictly required to achieve the goal.  In essence,
I would argue that acting like a modern browser is necessary and acceptable for
websites which are obviously applications -- which *need* to be applications in
order to do what they say on the tin -- but for all other sites we should demand
behaviour as was seen in simpler times.  All well and good, but can we ever hope
to actualy see this?  Probably not, but indulge me.

The web-design community has an excellent track record when it comes to
convincing people to care deeply about what many might consider irrelevant,
abstract, ideological nonsense.  Just you try and use <table>s for layout in
2017.  The web-design community will crucify you.  And not because doing the
layout with CSS is easier (it bloody well isn't) or that it loads faster or
looks better.  It's because that would make the mark-up non-semantic.  This is a
remarkable achievement.  A group of people who at the end of the day are doing a
job to put bread on the table made one another deeply care about some abstract
principle which is literally invisible to their clients.  The same goes for
writing HTML or CSS which validates according to the W3C specs, which was once
upon a time an important enough mark of virtue for a web designer that people
(myself included) put little badges on our wesites when we got it right.

Could this same capcity for self-regulation be used for great justice?

Imagine an alternate world in which every webpage had to explicitly tell the
browser what kind of a page it was (via a specific DTD, or some new element
inside of <head>) - "I am a full blown webapp", or "I am just a dumb ol'
document" or something in between.  And imagine that this was not just some idle
declaration of intent, but more like a binding request for the browser to grant
the page a certain set of permissions (think of the way permissions give Android
apps fine-grained access to the phone's capabilities - but don't think of it too
hard, because it's terribly done, e.g. there is no culture of developers
striving for the least permissions possible, nor of users demanding this, and no
means for the user to deny individual permissions an app wants with the
understanding that some features may not work).  A webpage which declares itself
to be just a document can execute no Javascript (or perhaps some very, very
minimal subset of JS), whereas one which declares itself a full blown app may.
Perhaps there are 5 points on a scale between these two extremes.

Imagine that this system not only existed, but that web designers made one
another care about this, so that declaring a webpage which tells residents of a
particular council which day of the week they can put their recycling out for
collection to be a full-blown web app would get you ostracised the same way
using tables for layout would.

Imagine if websites demanding the highest level of permission caused the browser
to ask the user if they were sure about visiting it, unless they were served
from a small list of whitelisted domains.

Imagine if browser developers wrote totally separate rendering engines for each
of the five permission levels, optimising each engine for its specific set of
capabilities.  The simplest engine would make it totally impossible for a tab
displaying a page rendered by it to consume more than 5MB of RAM, and would
perform zero computations after the initial parsing and rendering.  The simplest
engine would be so simple that individual humans could read and understand all
the source code in a few days.  It could be audited very carefully for security
vulnerabilities.

In the same way that demoscene coders pride themselves on getting very old
hardware with limited computational power to generate amazing spectacles of
vision and sound, some web designers might get very competitive about making
sites which looked beautiful even though they used the lowest or second-lowest
level of permissions only.

Such a scheme would not only alleviate the resource devouring, security and
privacy problems of the modern web, but it might also force webmasters to
exercise some basic courtesy as well.  Auto-playing videos, for example, would
only be available to pages declaring themselves to be in the highest or
second-highest permission tier.

This is a very appealing vision, to me at least, but I don't expect it to ever
happen.  The internet is, by and large, funded by the commercial spoils of
survelling everybody on it, and this scheme would curtail that surveillance
substantially.

But we *could* have built this...