Hacker News new | ask | show | jobs
by jonrx 4016 days ago
I smiled when I saw that a javascript browser has no javascript support. :)

I like it. I tend to usually remove the style when I read longer documents. This is prettier while doing the same thing.

What are your next goals with it?
2 comments
pierre 4016 days ago
Thanks for your feedback :) I also have an issue with the explosion of 'designs' in the web and this is my first tentative at imagining what a 'sober' web could look like.

I think that to be useful to have predefined template per style of pages. For example for now the hacker news page do not render correctly, and I should add a 'Link List' template.

I could also improve the content detection. On some site it still do not catch all the main article / or catch some ads.

I should also fix some bugs first (as I rush it, it really need more polish).

link
S4M 4016 days ago
Actually, since javascript has an eval function, shouldn't it be straightforward to support it in the browser?
link
0x0 4015 days ago
Straight-up eval() would be the most blatant case of a remote code execution vulnerability the web has ever seen. I don't think it's easy or even possible to build a foolproof sandbox out of eval(). And even then you open yourself to a denial of service since you cannot interrupt the eval().
link
PuercoPop 4015 days ago
You can build a foolproof sandbox, but at the 'OS-level', not at the 'language' level. By disabling syscalls and setting resource limits.

You can read more here: http://www.eelis.net/geordi/#faq

link
geofft 4015 days ago
I think the link to Geordi is not quite relevant here (although it is super cool): the claim was that it's hard to build a foolproof sandbox out of eval(). If you're using Geordi, since it's a separate process in a chroot, you can't use eval(). If you're giving up on eval(), you can write a foolproof sandboxed JS evaluator in JS alone.

Besides, the hard part with all sandboxes is not making the sandboxing itself solid; that's straightforward. The hard part is giving it a sufficiently rich interface to the outside world to do useful things, while not giving it so rich an interface that it can escape through that hole. All the semi-recent vulnerabilities in qemu, for instance, have been in virtual devices, not in actually emulating a processor.

Geordi's story is relatively easy, since all it does is compile code and execute it in an intentionally-minimal interface. JS on a web page has thousands of things it can do to the web page or to the outside world, if you want to implement it according to spec.

link
PuercoPop 4015 days ago
My mistake, You are right. I had read the question as foolproof sandbox that included eval.

One can see the banning the syscalls approach as cutting the Gordian knot.

link
themeek 4015 days ago
I think it would still be non-trivial as event bindings, DOM bindings and others things would not work out of the box. It's a super neat idea though.
link
pierre 4015 days ago
Actually the non-js part is here by choice. The goal is to do a browser that let you only read things, not interacting, and no distractions.
link
S4M 4015 days ago
I agree with you that webpages are sometimes too animations heavy. There is w3m as well that is a read-only browser.
link