It's a web API, but it's a web API that requires development work to do, and Goanna (Pale Moon's pre-multiprocess, pre-all-the-things-that-make-modern-Firefox-good Gecko fork) would need to implement those APIs.
Just ran checksec on Pale Moon's Linux binary distribution - their binaries are built with no mitigations whatsoever. ASLR disabled, no stack canaries, no fortify.
This whole project appears to be a security disaster and nobody should use it.
That exchange borders on unbelievable for me. How any project could be so tone deaf is beyond comprehension. And the initial message from the PM project is more than enough to set anyone off.
This read was amazing, and I would fully recommend it for someone self-isolating with a hot cup of coffee who wants a jolly read about how not to communicate with others.
"Customization." It retains the older, Firefox ~25-ish UI. They've since upgraded the backend to Firefox 52, which is still Really Old. And they've got a lot of culty behavior around their community, if that's your bag.
If you absolutely must have an XUL-based Firefox derivative: 1) you don't, 2) stop, and 3) don't use this one if you don't listen to #1 or #2.
Yes, I have seen your frothing Reddit posts, you don't have to repeat them here. "Leftist fascist"--can I give you a bit of free advice? If you have to modify "fascist", everyone and their dog knows it's because you have to modify your slur to make the mirror a little more palatable. Maybe find some new ones.
But I reject the square-peg premise you're trying to jam into that round hole anyway, as it's not a democracy, either. Your choices impact your neighbors without their consent. It's not about fucking over power users or whatever the weird little epistemic enclosure you come from wants to insist it is, it's about addressing technical debt both in terms of performance and security--and the latter matters quite a lot in terms of not enabling people who think they're power users to 1) blow their own leg off, and 2) blow the legs off the people next to them. That's why those "leftist fascist" evil scary Firefox people decided "hey, let's patch some of these up."
Customization, in and of itself, is fine (modulo the combinatoric explosion that leads to security holes). Few enough people would disagree with that, though I understand that the aforementioned epistemic closure holds as axiomatic that everybody just hates the tweaker types. On the other hand, customization at the expense of competent security development, which is what you get with Pale Moon, is not. And seeing as how there certainly doesn't seem to be much in the way of developer competence, to the point where "don't use the stuff that upstream has working just fine because we can't figure it out" is a legitimate attempt at "discussion", it ought to be dumpstered.
Somehow, this "power user" (god, I hate that term) gets by just fine with poor, benighted Firefox--having switched to it from Chrome/Safari after Quantum because it finally felt as pleasant to use as back in The Day. Clearly, though, that just makes me a radical-left SJW hater or something. But that's fine. Modern Firefox is heckin' great.
> There also seems to be a small group of devout followers who travel from the Palemoon forums to other parts of reddit, HN and github to spruik the project and derail criticism. I've observed (without naming names) it's the same names doing it over and over again.
They always use the same phrases too "nazi" and "fake news", "false narrative" etc. They tend to refer to themselves as "power users" with a clear tone of superiority to their comments.
Users sure as hell didn't leave for BlueMoon or the other also-rans.
(And nobody is falling for your "leftist Nazi" shtick. It's quite telling that you can't even come up with terms for your imaginary opponents and have to fall back on misusing "fascist", "nazi", and "dictator", isn't it?
Here, in the interest of the English language, are some actual left-wing baddies you can use: Bolsheviki, Stalinist, Stasi, Politburo, Khmer Rouge, ETA (potential for puns here), (Popular|Democratic|Worker's) (Front|Army|Committee|Union) for (Liberation|Democracy|A Better Future|Legalisation)
The real security disaster on the modern web is commercial groups taking over setting standards and turning the web browser into an OS with all the security problems that entails.
The opposite is the case - web applications are one of the best things to happen, security-wise, in a long time.
Web applications are fully isolated and sandboxed, have fine-grained permissions, are easy to inspect, and the runtime is built with a modern threat model.
ChromeOS is probably the most secure desktop OS for this reason.
I want my browser to expose more functionality to web apps, because it means that I have to run less random unsandboxed code on my underlying OS.
We need both - some kinds of applications need direct hardware access. But the kernel attack surface is huge, even with seccomp and friends.
An app on my smartphone or - much worse - an Electron app "sandboxed" in a flatpak on my desktop has access to far wider range of dangerous APIs than a web application. What's wrong with a browser as a high-level OS?
Some of this is aesthetic so I don't really expect to change minds, but if we lived in the world of "Life and Death of Javascript" and booted to some kind of Web OS I'd be annoyed at the loss of low level hackibility and get over it.
Booting to Linux, then booting a browser to get to a normal app that doesn't need network connectivity "feels" wrong.
Until they're delivery vehicles for obfuscated wasm to canvas rendering applications. Then nothing of the "web as graph of hypertext documents" will be left.
> wasm changes nothing here, you could always obfuscate js just as much
It is a significant change because it lowers the bar to create a blackbox. wasm offers the performance, canvas provides an opaque, flexible render target. Without either you're limited to obfuscating your JS (which indeed already happens) and obfuscating your DOM (also happening). But the DOM still leaves enough surface for adblockers and other extensions to intervene. Perhaps throw in a websocket/webrtc to channel all your data over a single connection and you basically have created a single intransparent blob which extensions cannot interact with on the behalf of the user.
You turned the user agent into the site's agent.
> "DRM will be used even for text!!1" (wrt. EME especially)
I am not aware of EME offering a data path to bring encrypted text to the screen. Without such a path these claims have no merit, wasm + canvas on the other hand offer a clear path.
Go to nasa.gov with javascript off. Tell me how much text you can read. It doesn't have to be DRM. It just has to be ever more complex JS standards and engine implementations that only a handful of companies can actually make.
Once it's an application instead of a document the text just isn't there.
Websites are at least supposedly are sandboxed so they are not as much of a risk as running native binaries. But this is getting worse and worse though as browsers expose more and more of their host operating system's functionality. The benefits of using a website instead of a native app are quickly disappearing, while the drawbacks have only been somewhat mitigated. We're getting to the point where browsers are worthy of the decades old criticism Emacs has received. They have eventually become an OS with many fine features - simply lacking a good web browser. For the privacy (and security) conscious user, modern web technologies will undermine you every step of the way, or simply break if you choose to stand your ground.
Sandboxes are security features that have to implemented though, and if implemented incorrectly will create vulnerabilities. I’m sure google is on top of these but these random unheard of browsers need more scrutiny
The thing that kills me is that they forked a pretty bad (at the time) browser core to make Goanna, then the parent of the fork got way better and left them in the dust.
I would actively block Pale Moon if I thought I worked with people silly enough to use a slow single-process browser in 2020. (Instead of a moderately slow multi-process browser. But I digress.)
Just empirically, browser security has improved dramatically over the last decade or so. When did a browser exploit last cause actual real-world damages? I remember network infrastructure compromises, social engineering, fake gmail logins, etc, but the weekly flash or PDF worm is gone, and JS seems to be holding up remarkably well given its size and complexity. Aluminium Centrifuges seem to also be more vulnerable these days than Chromium Browsers.
Notably, the binary has not been compiled with -fPIE and -fstack-protector, which disables two very basic exploit mitigations - ASLR and stack canaries. Any self-respecting Linux distribution enables these compiler flags by default nowadays. -D_FORTIFY_SOURCE is also missing, unlike Chrome or Firefox. A modern browser uses dozens of custom binary exploitation mitigations in addition to this.
Mitigations and sandboxing are the difference between an exploit a CTF player can write on an afternoon, and a multi-month expert-level endeavour.
Yeah, that's my point. Pale Moon's developers forked a complex project and are now asking people to not use things that the mainline project now supports just fine.
There are too many APIs released at neck-breaking speed, often poorly designed and rushed.
See Google's own Web Api tracking page [1] Chrome adds almost 1000 new APIs per year Only last year they added over 500 APIs that are not present in other browsers, and pretend they are standard and will not remove them even if other browsers are not going to implement them due to multiple explicitly voiced concerns.
So yeah, no. Your news at eleven is misleading at best.
No. But there are 1000 new web APIs that you have to implement yearly just to keep up. And Web Component specs are a part of that.
And then despite all the objections from all the other browser vendors Google releases an API in production and will not mark it as experimental. Yes, a Web Components-related API (Adopted Stylesheets).
the same can be said about any new CSS features and other new stuff that goes into the browser. browsers are evolving rapidly, either to make devs work easier or make users' work easier or just to make everything prettier or faster.
