The browser wars are once again upon us

I want some system calls in Unix so that an application can voluntarily drop certain privileges. JavaScript has a sandbox, so that's one piece of the security puzzle, but the OS should be able to police the browser app itself in case the worst happens.

I don't trust Flash in the least little bit to be at all secure. It is a very closed system. It's not even well enough understood that a good Open Source clone of the client can be hacked together quickly. I wouldn't be surprised to discover all manner of attacks through subverting the Flash runtime or just using something it's supposed to do on purpose that nobody thought through.

I only slightly trust JavaScript to be vaguely secure, and that's only because the JavaScript interpreter I use has a very open development model.

I would not trust CLR to be secure at all either. Especially since from what I understand about CLR, they may have given up some of the restrictions that Java had that allowed it to ensure that there were a certain set of rules no Java program could break.

And the OS security model the browser currently runs under is utter garbage. It should not have access privileges to everything I do. It should be allowed to read and update its cache, its preferences and its cookies, and that's about it (though quite a lot of nefariousness can be done with just that). Anything else should have to go through some kind of gatekeeper app that asks me if that's what I want to do.

The take-up seems to be gaining momentum as we were swept high by these shiny gadgets. Silverlight may be late in the game. although I won't be betting against Silverlight since (my guess) it is going to be free as in beer, much like IIS and IE.

Definitely, a spear and arrow intended for Adobe who is marching deep into their territory.

Also, Icaza announced a Linux port of Silverlight several days ago. That should add more chaos into the frenzy.

Yes, the market is warming-up.

nymia wrote: Also, Icaza announced a Linux port of Silverlight several days ago. That should add more chaos into the frenzy.

What's the scope of Silverlight-on-Mono? If it includes Silverlight streaming, then can we expect Novell to get some blowback on this one: a free implementation of Silverlight streaming would pretty much wreck the DRM "content protection" claims that Microsoft is trying make for the platform?

That said, any thoughts on Curl (the RIA platform)? My feeling is that any technical superiority it might have, the company lacks the marketing muscle to go head-to-head with either MS or Adobe, and they may have set too high a premium for their wares (i.e., commercial deployments start at $12K).

robocoder wrote: they may have set too high a premium for their wares

Even the giants of industrial infrastructure don't charge for programming language environments, so the market doesn't support positive premiums. You can "sell" deployments for money if you provide large amounts of high-quality, "free" consulting. For people who followed the story of the much more innovative functional programming language Miranda, that provides a pretty clear analogy.

Good question, I'd love to see something like that running on Mono and Xlib.

I'm not sure what legal requirements are needed to make that possible, though. I'm guessing Icaza and company will have to jump hoops and sign legal binding agreements just to get a roadmap on the SDK development path going for Mono.

Aside from the legalities, I would like to see Icaza come out alive and kicking. It's a tough job trying to push code into the public domain. Hope he succeeds.

...it looks as if one of experts, Paul Withington, has joined us. I've emailed him to see if ptwithy is legit.

I would not call myself an 'expert', but a journeyman. Disclaimer: I am currently working full time on OpenLaszlo, funded by Laszlo Systems. A couple of observations:

Curl, like Apollo and Silverlight depends on a proprietary player or plug-in. Flash being the oldest has wide distribution. WPF/E will surely catch on fast, given the promoter. Curl has a much tougher row. (Last I knew, its JIT still only generated x86 code and only ran on Windows or Linux).

The beauty of a proprietary plug-in is that cross-platform compatibility is guaranteed. The drawback is that it is single-sourced (and proprietary). [Note: Both Adobe and Microsoft have annouced their intentions to open source large portions of their development environments, and Adobe has donated their Javascript engine to Mozilla, but neither of these announcements make the complete player open source.]

Contrast this with standards: AJAX (Javascript+DOM+CSS+XHR) -- these have many implementations with no guarantee of cross-plaform compatibility. When those implemenations are open, compatibility improves.

We like to think of OpenLaszlo's LZX language as a higher level language that lets you express your application in a more concise way. As mentioned in the main post, it can compile to the Flash player or to AJAX. We have demonstrated compiling to SVG (and are working with the SVG committee), and Sun has demonstrated compiling to Java. It is very probable that compiling to WPF/E will happen soon... given that OpenLaszlo is open source, for all we know Microsoft may already have that working. (:P)

And yes, the language of the future is Javascript. It is rapidly becoming the equivalent of Lisp.

It seems curiously appropriate that Javascript programs are the only ones I run these days that consume all available RAM and swap space, and that crash. They are also the only programs I run that depend on a garbage collector. I doubt this is a coincidence.

Nothing I encounter on the web that I have any reason to want to use depends on having Java installed. That's good. Javascript has become unavoidable, though, and Flash will be soon. Each increment degrades my web experience a bit, with rare exceptions (Google Maps; any others?).

The only hope I see is to run each Javascript/Flash/what-have-you script in a separate subprocess, killed when you leave the page. The OS doesn't fail to collect the memory of a killed process, or to release it for use by other programs. We can't keep undisciplined web-site maintainers from sending us bad code, but we should be able to keep them from polluting our browsers too badly.

Interesting to note the announcement of JavaFX posted on SlashDot.

It looks like JavaFX was groomed to face Silverlight, Flex, AJAX.

ncm wrote: It seems curiously appropriate that Javascript programs are the only ones I run these days that consume all available RAM and swap space, and that crash. They are also the only programs I run that depend on a garbage collector. I doubt this is a coincidence.

Funny. I abandoned using Gnome & KDE around 1991 because of their poor resource peformance, to embrace the lisp-based, garbage-collected sawfish window manager. Emacs has mostly been pretty well-behaved spacewise: my stability problems with it over the years have mostly been due to non-terminating code, not gluttonous code.

Do you really not run perl at on your machines?

ptwithy wrote: And yes, the language of the future is Javascript, to which ncm responded Javascript has become unavoidable, though, and Flash will be soon. Each increment degrades my web experience a bit, with rare exceptions

As I've posted before, I don't think the correlation between coding quality and presence of garbage collection is anything like as close as ncm seems to think, but there is certainly a sense in which garbage collected programming languages provide something of a lifeline to bad code.

Is there anything that can be done about this? Proof carrying code provides a technology: code can be guaranteed to run within given resource bounds; but there is no possibility of web-2.0 companies providing PCC in the current environment. Is there anything that might work?

chalst: I have to admit also running Emacs, which hasn't been obviously leaky or crashy, lately. Neither has most of Gnome, lately. While abandoning Gnome and KDE around 1991 would have been remarkably foresightful (if ineffectual), adopting sawfish would have been positively prescient: none of those projects existed in 1991, and many readers here must have been more interested in learning to ride their bikes without training wheels than in Free Software.

I don't draw any connections between coding quality and garbage collection. I draw strong connections between presence of GC in a language and that language's suitability for applications other than pure computation. That said, a garbage-collected language is not necessarily worse for any particular task than C, and could be better.

I do try to avoid running Perl, for reasons unrelated to GC. However, I don't think of Perl (or Python) as a GC language.

you guys are just _too_ funny :) you take this stuff all so seriously!

ncm: my bicycle was assembled / welded by my grandfather, who was an extremely good engineer. unfortunately though the bicycle split in half after five years, when i became much bigger :)