Those are the main features I'm expecting from a web browser:
- Written in a memory-safe-ish language that a plebeian like me can understand, review and contribute to,
like rust and go or even
lua or V,
but please no lisp,
elisp or haskell.
- Sandboxed to death.
- Ability to block ads because
the web is a hot bubbling cesspool.
- a sensible subset of
http 1.1 (and maybe
http2 if you're feeling fancy,
because multiplexing requests is neat),
typescript) support, with
something like a dumb interepreter,
also written in a memory-safe-ish language.
- maybe tabs
Now here is a subset of the ones that I don't want,
and that the vast majority of websites and their users either don't care about, don't use,
or even shouldn't be using in the first place :
- Ridiculous performance hacks:
- WASM: The web used to be readable-ish,
debuggable, observable-ish and introspectable. I don't want to run assembly in my web
browser and lose those properties, for what exactly? Mining bitcoin/monero,
cross compiling programs to make fun demos, and providing a
for every browser exploits.
- Crazy optimizing
with ungodly hacks: we shouldn't
need those to have usable webpages. Firefox, for example,
two-tier interpreter and two-tier JIT. Google Chrome
has 3 tier JIT and
an interepreter. Previously, it was JIT-only, then 2-tier JIT, then 2-tier
JIT plus interpreter, then 3-tier JIT plus interpreter, then singler-tier
JIT plus interpreter.
I don't want profile-based optimizations, … I want less code involved with
if it comes as such a high-price complexity-wise.
- DNS prefetching:
self-host your resources, instead of delegating them to a steaming pile
of untrusted statistics-hoarding CDN kinda obsoleted by http2 anyway.
- Async and defer,
- Subresource loading with Web Bundles: no.
- Battery-savings meta tag: don't eat my battery in the first place.
"support emerging applications, such as latency-sensitive game streaming,
client-side effects or transcoding, and polyfillable media container support".
Nobody except Google is doing game streaming in a browser, and nobody
except youtube wants to have web browsers doing transcoding.
- Things my operating system is already doing, but apparently needs to be
done by my special snowflake of a web browser.
- Fullscreen API
- Multi-Screen Window Placement: I already have
a windows manager taking care of my screen estate.
- DNS things:
- DNSSEC, because in the Chrome Security Teams'
"DNSSEC and DANE (types 2/3) do not measurably raise the bar for
security compared to alternatives, and can be negative for security."
If the goal is to prevent ISP from harvesting and selling DNS history,
then it's a neat example of social problem being addresses via technical
means. The right™ way to fix this is by making it illegal for ISP to behave
this way, with steep fines and accountability, instead of providing a
band-aid pseudo-solution that will be bypasses in a couple of months.
- Themes: my browser isn't an IDE.
- Handwriting recognition: why.
- In-browser screenshot tools.
- Picture-in-Picture API:
"The Picture-in-Picture API allow websites to create a floating video window
always on top of other windows so that users may continue consuming media
while they interact with other content sites, or applications on their
device.", I already have something called a
desktop to arrange windows aroud, thanks.
- A crapton of (often forked) vendored things because screw properly packaged dependencies?
- On Debian, Firefox embeds its own copy of sqlite,
a crapload of rust crates,
various python libraries,
parts of curl,
more python stuff,
and a lot more
- Still on Debian, Chromium is a lot of fun as well:
some xmpp stuff,
lixbml with patches,
- Fuck accessibility misfeatures:
- Encrypted Media Extensions, adding
proprietary inscrutable blackblox garbage
so that some people can watch netflix in their browser. Just give up on
DRM already, they're useless at best, harmful at
a thing from the past that should be thrown directly into the Sun.
- Clipboard API: not
only a privacy concern since website shouldn't be able to read/write into
your clipboard, but also a nice opportunity to screw accessibility over by
preventing people from copy/pasting content on websites.
as a bonus.
- Pointer Lock API: "It
gives you access to raw mouse movement, locks the target of mouse events to a
single element, eliminates limits on how far mouse movement can go in a
single direction, and removes the cursor from view. It is ideal for first
person 3D games, for example.". Because of course implementing FPS in a web
browser is a such a common genuine usecase warranting an implementation of
this feature in every single web browser.
- Session history management,
because manipulating the user's browsing history is of course a feature and
not a horrible malpractice!
- Print events, because adding annotation and watermarks is neat!
- Disabling the spellcheck, what's even the usecase for this?
- Multimedia stuff, because the web is the new demoscene apparently:
- WebGL: My web browser isn't a game console.
Microsoft even considered it harmful.
- WebGL 2.0,
because you can't deprecate/supersede shit fast enough, and having bleeding
edge accelerated 3D graphics rendering in a web browser is an essential
- WebRTC: "real-time communication capabilities", in a web browser.
Pepperidge farm remembers when chat apps weren't running in browsers.
- Web MIDI API: to run synthesisers I suppose?
escapes as a bonus.
WebVR WebXR Device API, virtual reality, why…
- Canvas API:
<canvas> element. Among other things, it can be used for animation, game
graphics, data visualization, photo manipulation, and real-time video
processing." all essential usecases for the vast majority of websites.
Actually, a significant number of websites are using this API for
- WebGPU: I don't want to play games , I want to browse
the web. I don't want my browser to have low-level access to my GPU and its
stellar quality drivers.
- Media Session API, to customize media notifications.
- Gamepad support, because I've always
dreamt of browsing the web with a joystick or a PS1 controler!
Sandbox escape as a bonus.
- Web Audio API: because
without the ability to add effects to audio, mix sources, create audio visualizations and apply spatial
effects, how would one reimplement ardour in a
browser? On the bright side, processing audio is a straighforward process,
and this added complexity will for sure never be a source of critical
- A builtin PDF viewer: Can we please
stop trying to shove every single desktop application in web browsers?
It's not as if the PDF specification was a longuer-than-the-Bible trashfire complexity-wise that
will invariably lead to catastrophic bugs anyway.
as a bonus.
- Client-side video editing: I don't even.
- Speech Recognition: this should
be something globally available on your operating system; Imagine if every program on your computer was
implementing this in their own fashion.
Sandbox escape as a bonus.
- Security misfeatures:
- Sandboxed iframes:
I don't want frames in the first place. Including
websites in your website is idiotic, but doing it with data that you don't
trust is a whole new level.
- Seamless iframes,
because phishing isn't a thing!
- XSS auditor:
easily bypassable, with false-positives, introducing cross-site leaks, …
- Portals, because using pictures and
links is too much to ask apparently. Stop considering loading pages as
escape as a bonus.
- Web Crypto API:
useless at best, dangerous when not completelic moronic most of the time.
- Do not track: Enabled by
default, respected by no one.
- Credential Management API:
Just use a password manager already,
instead of delegating this to websites themselves.
- Signed HTTP Exchanges (SXG),
as the main usecase, because Same-Origin Policy are too easy to manipulate,
so let's add some more nightmarish cryptographically signed insanity on top of it.
- Document Policy, because
browsers are supporting so much crap that apparently we now need a
declarative policy to inform users what features will be (mis)used to track
- SameSite attribute: The "strict" mode should be the default behaviour.
- Public Key Pinning, deprecated in
Chrome, it's a bandaid over the CA system
in the form of a trigger-happy tripple-barrel footgun doubling as a cool
- noopener should be the default behaviour.
- Subresource Integrity:
it solves some security problems that you shouldnt be having because
including resources from untrusted sources in the first
place is pure concentrated whole-grain stupidy.
- Third party cookies: drop them by default, into a volcano.
- WebOTP API and its cross-origin iframe support :
2FA via sms-based OTP doesn't prevent phishing, and even if it did,
which it doesn't, I don't want my web browser to have access to my text messages!
- Extended validation certificates:
useless, expensive and don't improve security.
- COOP/COEP/CORP/CORS/CORB headers: don't include untrusted shit into your webpages in the first place for fuck's sake!
- Exotic fileformats and protocols support
- FTP support: the
70s called, they wanted their protocol invented before TCP/IP back.
- Gopher support.
"The format was designed for use on 3G mobile phones, but can still be used on more modern phones and networks."
- QuickTime shit
everyone uses mp3, ogg or flac except Apple and a few game consoles.
because tiff is such a great format, and
uncompressed/ghetto-compressed scanned photos are something common on the web.
nobody uses it anymore, just drop it already.
- WAV: Uncompressed audio, nobody should use it to play sounds on webpages.
- Tracking garbage:
- Trust Token API:
- Federated Learning of Cohorts: tracking via third-party cookies
was awful, so the obvious solution is to
get rid of them replace
them with an opaque
with pinky-swear promises attached, while this in fact significantly eases fingerprinting and targeted
advertisements, leading to
It's hilarious that everyone hates it and is turning it off; both big content providers
The Guardian, …
and web browsers like Vivaldi,
Firefox, … Lawyers and States are also talking about
as well as blalant GDPR violation.
- Idle detection: with exotic usecases,
when you can actually vividly hear advertiser thinking how cool this is to check if users
are looking at ads or not!
- Conversion Measurement API: fuck no.
- Beacon API: Why would I want data to be sent to websites after I closed the page?
- Web Bluetooth: No, I don't want websites to
communicates with devices over bluetooth, providing them
yet an other way
to track me, in the real™ world. Various
escapes as a bonus.
- Privacy sandbox:
flaming tracking garbage.
- Geolocation: Why would websites want to
know my location, except for geoblocking, tracking and
geotargeting? They usually already
have my actual IP address, which is more than enough anyway, don't provide them with more.
- Referer: Yet another purely tracking-oriented misfeature from the past.
- Web NFC: Even the official usecases are dull and über-specific.
why should websites care about how many logical cores my CPU has‽
- Magnetometer: use usecases section
of the specification is hilarious, in a tragic way.
- Gyroscope: no.
- Ambient Light Events/AmbientLightSensor: What's the usecase for this? Changing the them of the website to match the current lighting mood?
- Accelerometer: can't have too many ways to track/identify your environment!
- Proximity Events:
"When the device proximity sensor detects a change between the device and an
object, it notifies the browser of that change.". What is the legitimate
usecase for this? Implementing automatic parking for your car via your
phone's web browser?
- Orientation Sensor/DeviceOrientation Event Specification:
why should a website care how I handle my device?
- Battery Status API, deprecated, but still a shitty idea in the first place.
- Broadcast Channel API:
"basic communication between browsing contexts and workers on the same origin.". It seems that it's simple to use Spectre in the first place.
- Content Index API: "The
Content Index API allows developers to register their offline enabled content
with the browser.". If I want to access a webpage offline, I just save
it. No need for the browser to perform special shenenigans for this to
- Web Periodic Background Synchronization API:
"The Web Periodic Background Synchronization API provides a way to register tasks to be run in a service worker at periodic intervals with
network connectivity. These tasks are referred to as periodic background sync requests.". One more oportunity to nuke my battery, excellent!
- PageTransitionEvent/Page Visibility API, no I don't need website to know if I'm looking at them or not.
- Network Information API,
because of course websites have to know what type of connection I'm using.
Just minimize the amount of data I need to download to browse your website,
instead of thinking that I'm ok with more ads because I'm using a fiber
connection, because I'm not.
- Screen Capture API:
why would a website need to see how it's looking on my device‽
- Ping API: "Typically for tracking." → volcano.
- Web Periodic Background Synchronization API:
I don't want website to silently do things behind my back.
- Storage Pressure Event: why would a
website need to know if my device is running low on space? Just don't store
your garbage client-side in the first place.
- Straight spam:
- Vibration API: great way to empty my battery and get on my nerve at the same time!
just no. I don't want them on my phone, I don't want them on my desktop, I
don't want them on the web. I want to be able to focus on what I'm doing, and
not be constantly distracted. Also, in what situation would I want to allow
a website to notify me of anything? Nothing they have to tell me about is
urgent enough that it shouldn't be sendeable via email.
I really love it when some random webpage decides to play audio on its own,
and I have to hunt which one it is and where are the media controls on it.
- Contact Picker API, I can copy-paste phone numbers, thank you.
- Screen Wake Lock API, another really cool way to drain all my battery.
- Web App Manifest: I already have bookmarks, thanks.
- Modal Dialogs: just do it with html already.
- "Sponsored images": stop trying to shove ads everywhere.
I thought we all agreed in the 1990s that those were the cancer of the internet, and should be eradicated.
- Run PWA on OS Login: no I don't want websites to
crawl from the depths of my browser and be automatically run at my
operating system's startup.
- Useless API:
- Barcode Detection API y tho.
USB is horrible security-wise,
and what would be the usecases anyway?
- Permissions API: since
we now have a gigantic pile of API and weird features, we of course need an
API to see which ones are available.
"a two-way interactive communication session between the user's browser and a server.",
I don't want interactivity, I want to read webpages.
- Web Storage API:
client-side key-value storage, which should happen server-side instead.
- Background Tasks API: because everything is so
bloated that we need asynchronism in resources processing.
- Merchant Validation: I
knew that PHP5
had some credit card processing features, but it's no excuse to bolt some
- Microtransaction payment handlers: can't wait for the blockchain version.
- Payment Request API: the justification
for this API's existence is that checkout forms are too cumbersome.
as a bonus.
- MediaStream Image Capture API,
because of course I want my web browser to be able to use my webcam and take pictures!
escapes as a bonus.
- Push API: just use ajax
- Web Serial API: What
website doesn't need to access a serial port nowadays?
as a bonus.
- The fuckton of
useless CSS properties that nobody is using.
- Video encoders:
"This feature ships an AV1 encoder in Chrome desktop, specifically optimized
for video conferencing with WebRTC integration.", a common feature of
websites, thus it's completely worth adding a complete video encoder in
- Raw Sockets API:
the only usecase I see for this is DDoS and implementing nmap
- Misc junk:
- Craptocurrencies trading: fuck no.
- File System Access API:
"It expands the current file capabilities of a browser and can enable
developers to create software to open and save files. Software such as IDE's,
photo or video editors and text editors, to name but a few.".
- File and Directory Entries API: "a "virtual drive" within the browser sandbox",
to be used for drag'n'drop. Just use an upload form instead.
- Offline web applications: I don't
want web pages to become applications. Stop having apps for everything.
Moreover, most of the webpages aren't (and shouldn't be) super-interactive,
and are already perfectly usable offline.
because a fullfledged client-side SQL database sounds like a must-have to
browse webpages. And of course, there is already IndexDB 2.0 and
IndexDB 3.0, each 3 years distant
from the other, a sane amount of time for everyone to implement something this complex.
But I guess you gotta compete with Google to see who can deprecate the fastest!
- SVG favicons: nobody is going to zoom on your favicons,
or appreciate how crisp they are on a retina display.
- Pocket should be a web extension, not something bundled in my browser,
- Plugins support, like h264 or DRM in Firefox:
Java and Flash were pure cancer in every possible ways, just trash this "feature" already.
- Heavy Ad Intervention:
"These poorly performant ads (whether intentional or not) harm the user’s
browsing experience by making pages slow, draining device battery,
and consuming mobile data (for those without unlimited plans)."
Fascinating. The same reasoning applies to every single ad: what about
blocking them all?
- Quirk mode: If a website is
important enough to warrant a special snowflake mode in a browser because it uses
some obsbolete features/hacks, it surely can hire someone to fix their broken code.
- Internationalized domain name:
because phishing isn't a thing.
Punycode isn't a solution since
it only covers ASCII domains spoofing.