World wide wheel, reinventing of

09.05.2013 22:00

The direction browsers and web technology are moving these days truly baffles me. As usual in the software world, it's all about piling one shiny feature on top of another. Now, I'm not against shiny per se, but it seems that a lot of these innovations are by people that haven't even took an hour to look at the already existing body of knowledge and standards that has accumulated over the years. With the frenzy of rolling releases and implementation-is-the-standard hotness, it's not even surprising that those are then implemented by browsers before someone with a long enough beard can stand up and shout Hey! We already thought of that in this here RFC.

Take for example all the buzz about finally solving the problem with authentication on the web. Finally, there's a way to securely sign into a website without all the mess with hundreds of hard-for-me-to-remember yet easy-to-guess-by-the-cracker user name and password combinations. Wonderful. Except that this exact thing existed on the web since people did cave paintings and used Netscape to browse the web. It's called SSL client side certificates and, amazingly, worked well enough for on-line banking and government sites even before the invention of pottery and cloud-based identity providers.

But that's just the most glaring case. Another front where this madness continues is pushing things from the old HTTP headers to the fancy new HTML5. Take for example a proposal to add a HTML attribute that defines whether a browser should display something or save it to disk by default. This functionality has existed for ages in the form of a HTTP header, yet this is somehow dismissed as a server-side solution (what does that even mean?).

I wonder how many web developers today are even aware that there exists a mechanism for a client to tell the browser which language the user prefers (but we most certainly need the annoying language selection whole-screen pop-up-and-click-through!). Or that the client can tell the server whether it would rather have a PNG for downloading or a friendly HTML page for viewing in a browser (meh, we'll just fudge that with some magic on-click Javascript handlers).

Now I can see someone laughing and saying how ridiculous this idea is and if I have ever even tried to use one of those ancient features. No it's not, and I have. It's consistently painful. But it's only so because for some reason, browsers long ago decided to make the most horrible interface to such functionality imaginable to man and then forgot to ever fix it. Mostly it's hidden 10 levels down in some obscure dialog box and if banks wouldn't give you click-by-click instructions on how to import a certificate, 99% of people would give up after a few hours and continue chiseling clay tablets. Now imagine if a tenth of time spent in reinventing the wheel would be spent just improving the usability of existing features. Why can't I go to a web page and get a prompt: Hey! This web page wants you to login. Do you want me to use one of these existing certificates or generate a new, throw-away one?. World would be just a tiny bit better, believe me.

In the end, I think modern browsers have focused way too much on improving the situation for the remote web page they are displaying and neglected the local part around it. And I believe this direction is bad in the long run. Consider also the European cookie directive. I'm pretty sure this bizarre catch-22 situation where web pages are now required to manage cookie preferences for you would not be needed if browsers provided a sane interface for handling these preferences in the first place. My Firefox has three places (that I know of!) where I can set which websites are allowed to store persistent state on my computer. Plus it manages to regularly lose them, but that's a different story.

Posted by Tomaž | Categories: Life


You raise a few good points, especially related to SSL and confusing preferences, but I also disagree with some things you said.

Yes, we know there are HTTP headers for specifying language. They just happen to be highly unreliable to the point where most find it better to ignore them.

Download attribute is needed for content that is created in browser (on client). I can create PDF files in browser without any participation of a server. It also provides a bit more flexibility since you can toggle it, but that is less important.

In fact most changes to HTML and browsers were done exactly to reduce necessity for server. Single page applications (web apps) are all the rage.

I actually support European cookie directive because it puts responsibility where it should be, on service providers. I can delete my cookies as much as I want, but that isn't enough to prevent tracking. So needing acceptance from user feels fine.

Posted by Marko

But isn't the HTTP "Accept-Language" header setting unusable exactly because browser developers stashed it somewhere under the rug? I see no reason why a browser couldn't ask you which language to use for pages that support that. It would certainly be more useful than that translation thing Chrome has and websites wouldn't need to reinvent the wheel all the time.

You're right about single page applications. That's something I haven't thought about.

Regarding European cookie directive, what I had in mind was the interpretation where web sites are supposed to remember user's preferences regarding cookies, but they obviously can't do that without setting a cookie, leading to kind of a catch-22 situation. I certainly agree with provisions regarding privacy and tracking, but the whole discussion I see seems to be going on specifically about HTTP cookie handling and not much else.

Posted by Tomaž

Browser vendors are at least partially responsible for language mess, but in a way it doesn't matter. You solve the problem you have, not the one that you would like to have and we are at the point where that setting is unreliable (side-note: even where vendors are the same, it doesn't mean the same people are still involved).

I talked to Fry recently and cookie directive is indeed problematic, but even though there are many technical challenges (yours is another good one), I think the spirit of the idea is correct. My privacy should not depend only on my vigilance and luck (that companies won't screw me over). Focusing on cookies is short-sighted since I don't actually need a cookie to track people on my site (or save their setting).

Posted by Marko

Add a new comment

(No HTML tags allowed. Separate paragraphs with a blank line.)