This is the problem with the modern web, which has become an app distribution platform. When you treat the browser as an OS, you need to expose a lot of information for stuff to work.
It would be very interesting to develop a modern web based purely on declarative content (modern HTML/CSS). HTMX is an interesting take on this, although it's currently implemented as server-provided JS: i don't see a reason why such patterns couldn't be implemented by the browser itself.
> It would be very interesting to develop a modern web based purely on declarative content (modern HTML/CSS).
For sure. I think some scripting could also potentially be implementable without massive fingerprinting / privacy implications. E.g. pure compute scripts, form validation, etc. that has no practical way to smuggle any data out of your browser. Anything that sends a request would have to be statically derived (or explicit user input as into form).
Functional data pipelines without side-effects could do the trick indeed. It would also make it a lot easier to debug for performance issues, and the browser could be more clever about optimizations: for example if you've got a loop changing DOM elements, maybe you could wait for the loop to finish before starting a re-render... something that's impossible to do with JS-based rendering where global page state may change under your feet at any given time.
EDIT: Just for the sake of mentioning, simple/obvious computations for interactivity was the promise of GNU's libreJS project. I'm unaware of the current state of it, though.
> It would be very interesting to develop a modern web based purely on declarative content
Is not that the subset of the web that would work when javascript is disabled? Some already develop it in that direction - what is not declarative shall be unnecessary. Or are you suggesting something different?
The problem is the declarativeness of the web is very much limited for UI/UX purposes. There's been good steps taken with HTML5, although dropping XML-compliance was in my view a major mistake in terms of operability/simplicity.
I don't understand why we need to have dozens of CSS frameworks for "components" that have become common practice across the ecosystem. Pagination, "Hero" elements, intra-page tabs, breadcrumbs (and many others) should be HTML standard so that it's more accessible and users can come up with their own stylesheets. The breadcrumbs for example would enable your browser UI to show a "go up" button like your file browser does. Another interesting example would be element filtering: why can't a <form> with a local action property (like "#data") be used to filter a list of elements without JS?
As long as most UI of a page is dictated by dozens of piled-upon CSS hacks, user stylesheets will remain a wild dream. But given how little variety there is on the web these days, many things could be standardized part of the HTML spec so that CSS is only needed for customization (eg. colors, spacing) on simpler pages, while retaining the possibility for the server to suggest more complex CSS UIs as we currently do if you absolutely want to do that.
If you're talking about the gemtext format, unfortunately beyond titles, list, blockquotes, preformatted texts, and links, nothing else has been standardized.
I understand the appeal of simplicity but if you ask me that's a huge step backwards compared to HTML5. No <form>, no <section>/<article... It's like markdown but with another syntax :-/
Hey thanks for taking the time to reply. Have you maybe got in touch with hacker-friendly browsers such as nyxt? There may be some interested people over there.
Also, is there some good venues to discuss the semantic/declarative web with you htmx folks and hopefully people from other like-minded projects? IRC? XMPP? Matrix?
Sorry for the delayed reponse: nope, never talked w/ the nyxt folks. I tried to post a topic on the working group thingie but they, understandably, weren't very receptive.
Well the good thing about nyxt is it's super extensible so a PoC doesn't require proper "reception" on their side.
Do you maybe have a gateway/bridge to a libre network such as IRC/XMPP/Matrix? I find HTMX pretty interesting but i wouldn't touch discord with a 10-foot pole, if only because my limited computing resources won't allow for such a resource-hungry app to run in the background.
It seems like matterbridge supports discord backend but i don't have a discord account to try it with. If you're not willing to host matterbridge, i'm already hosting one and i would just need credentials to try and connect it to Discord. If you're willing to give that a try, feel free to mail me at my username @ thunix.net.
To render content based on device screen scaling. window.devicePixelRatio provides page zoom level combined with OS DPI setting. Things like canvas do not use scaling by default, so to render content appropriately you need to know by how much you have to scale it. Other use cases exit too.
I find that question valid for almost everything that's used for fingerprinting. Eg. Why is timezone available by default?
I wrote more but I sound like old man shouts at cloud. I've got ad and JavaScript blockers, but so much of the web is created sitting upon a mesh of invasive bullshit that it breaks easily.
and then you can read it out to indirectly get the time zone anyway (albeit a less specific version of it, since you wouldn't have the DST info). also, sometimes you need to actually have the users time zone for things like e.g. scheduled blog posts, so that they will show up when the user expects them to, not their scheduled time in UTC or whatever.
I use a site that only does UTC, and time zone related complaints are the most common issue asked about on the forums
> IE, web component where you can set a format string and then the browser renders it substituting the info it has?
you can easily detect this
- please display this localdatetime as a string
- read it back and parse it
- are they (almost) exactly multiples of 60 minutes apart?
- if yes it's most probably your timezone
because websites are sometimes interactive and allow the user to schedule things to happen at certain times.
And displaying time/date locally would leak that information anyway if you wanted to do it in a way that works in various contexts it would need to in a website (e.g. canvas based apps)
even if you just let the user stylize the font of the date (which you clearly would need to), you tell your magic date input to only show the current hour, then use a font that has a certain width for each number, allowing you to then based on the width of that element figure out the hour, same for other things, obviously. It's easy to imagine some thing like that without thinking about all the details, but it's not really feasible once you think about how this would be implemented and how it could be circumvented. And that's in addition to not working in contexts where you schedule a blog post, zoom meeting, or whatever else might require the server to account for user time zone
IMHO, even when sand-boxed, allowing a fully Turing-complete language with such a vast selection of available APIs to run on page load per default is what kills privacy.
People should be trained to allow script execution only when they trust the site, and there should be levels: Zero, Fully Isolated, Trusted.
OK now time to wait for someone to tell me this will be too much to ask from users. It wouldn't be an invalid point either, we can't even train people to have some common sense when in control of tons of steel going fast loaded with highly flammable liquids... So, there's that.
It's not even per page. I don't care if I trust that page, I don't want any FB scripts to run. There are so many external libraries included (loaded from a CDN they do not control) that I don't trust any developer to know with 100% certainty what their app includes.
Maybe something like randomizing the variables in a realistic way across many sessions where the real session is controlled and viewed directly by the user.
I don't think it would work when there's a state across views or server though, but maybe that's something you avoid when using Tor anyway?
My hunch is that it’s not explicitly provided to the website by the browser, but there are ways to measure what the zoom level is using JavaScript on the page.
One could use element.getBoundingClientRect and similar APIs to measure what size certain elements are rendered at and compare that with their default size for instance.
The resulting zoom level can then be used as a signal for fingerprinting.
It would be very interesting to develop a modern web based purely on declarative content (modern HTML/CSS). HTMX is an interesting take on this, although it's currently implemented as server-provided JS: i don't see a reason why such patterns couldn't be implemented by the browser itself.