I'm late to the party of moaners, but I need to elaborate on some notes on the current state of the web as an application platform.
Well.
The web, as a platform for applications, is an utter steaming pile of dogshit.
I've been working for some time now in both frontend and backend development and done my share of hobby experimentations (for learning purposes) to finally realize that these platforms were born for a purpose.
During the years they were then abused and punched so hard in the face that are now just the shadow of their former self.
Email deserve a rant on its own, so here there are only some thoughts on the Web, the Internet.
§ The Web of (un)Trust
Web applications? Security? Sessions? How can I put those words next to each other and keep a straight face. Browsers are playing cat and mouse with an infinite stream of security issues caused by a misuse of the platform.
Case in point: configuring a frontend and a backend to trust each other while being on the same domain, just on different subdomains: the whole CSRF authentication, the CORS headers you need to send to every request, cookie or LocalStorage here and here, restricting Cookie policy ... everything smells like rotten bad design. Patches over patches.
| The Web, today | What you're actually looking at |
|---|---|
 |
 |
Just because in the end we can make things work, that doesn't mean the final result is good. That was not the way it was supposed to work.
§ How did that happen?
I see a sequence of events:
-
Back in the day the "Internet" platform was thrown out there and people started using it, security wasn't an issue, it was about hypertext documents (the
HTin HTML). -
The platform became increasingly commonly used and at some point the business around it ignited and companies started putting money in, so someone at some point realized that the roads where money flows should be trusted by the public, otherwise people won't use your roads.
-
The tooling available was not there and the horizon was not far ("what do we need in five years?"). So, let's patch with what we know today (yeah, hindsight is always 20/20)
-
Year after year the platform usage increased and new set of problems were introduced. New patches and hacks added, layer over layer to not break existing stuff.
Repeat steps 3 and 4 until today and here we are talking about cross-site scripting, user profiling using any possible loophole in the clients (the last fun stuff are the super-cookies) and Single Page Applications (SPA) hogging a current-gen laptop.
If we have a look at the API surface of the browser it's something that would scare any sysadmin having their users using this kind of client software.
The only two applications that make my laptop fans spin like crazy are Slack on a Firefox tab and compiling a Rust application: a chat web application that causes resource spikes like a compiler, this is where we are today.
And it doesn't stop. No one is pulling the brakes and say that it's time to rethink the vehicle we are on, we have too much crust accumulated from the past that we cannot redesign from scratch.
§ What is a browser?
Read that word again: browser. A tool to browse, not a container where everyone can stuff whatever thing they can come up with.
If you need an application then use a damn application, we don't need to centralize everything in a web browser. If the idea of having separate applications for multiple tasks sounds strange and quaint, it's because we've been fed this lie over and over by people thinking that a browser can do everything.
It's the protocol that matters, not the application using that protocol: if HTTP has become the grand unified API protocol in the world (and that is not a good thing), that doesn't mean that we need to fit any use case into the browser. We are not extending browsers, we are raping the concept itself of the browser and dumping on someone else (i.e. browser maintainers) the problem to make everything work for your damn enterprise web panel.