Google Darts Back to VBScript

There’s an interesting discussion evolving on the WebKit developer’s mailing list that boils down to adding VBScript support to the project. Well, almost. It’s a discussion between two major contributor camps, Google and Apple, on the framework for integrating Google’s langue du jourDart.

To set the stage, no one on the list is arguing in bad faith. If you’d prefer the troll-baiting titillation of he said/she said threads, look elsewhere. Never the less, keep reading here and you’ll be rewarded with a pontifical comment or two.

So, back to Google’s desire to include VBScript to the WebKit browser engine. I mean Dart; I believe they call it Dart because four fewer letters improves efficiency. The basic idea is that JavaScript is nice, but insufficient to fully replicate certain kinds of desktop apps. For example, JavaScript becomes creaky if you push it to handle anything associated with frame rates — namely games.

There’s clearly self-interest in improving browser computing if your entire platform relies on the browser. For starters, you want a browser that won’t have ad-blocking on by default. And you’ll want to smooth out the wrinkles of something like a Do Not Track header.1,2 Sometimes, it’s even convenient to get other browsers, say Internet Explorer, to catch up on technology by plugging your own browser into them.3 (Never mind the implications of a browser in a browser.4,5) That brouhaha of 2009 enabled users to experience brave, new products with their Chrome/IE chimera — which in hindsight must have been necessary since the product was no longer around by the time IE caught up on HTML5.6

But all of that avoids the fact that JavaScript isn’t perfect. Enter Dart, accompanied by tweaks that make it more bare-metal-compiler friendly

On the other hand, maybe JavaScript (ahem, the ECMAScript standard) just needs its own tweaking to enable performance gains.7,8 And while we’re on this JavaScript tirade, why not throw improve our privacy with some crypto-related capabilities rather than start over with VBDart?9

ECMADart isn’t Google’s sole flirtation with browser extensions. Google also wants to reinvent ActiveX in the form of a plugin called NaCl.10 NaCl is a sort of the arterial bypass of JavaScript in that it provides a way to execute native code (C or C++) in your browser. Instead of relying on the non-standard closed sandbox plugins like Flash or Silverlight you can rely on the non-standard open source sandbox plugin of NaCl.

Words That Start With E

Understand first that reinvention intends to improve upon the original. Hollywood likes to call this “rebooting” a franchise. This brings us cool Batman movies. At the price of yet another Batman movie. Or yet another Superman. Or Spiderman. (Hey, Star Trek was pretty awesome so reboots aren’t out-of-hand a bad idea.) Yet this pushes other, fresher ideas out of the way. In web terms, those other, fresher ideas involve developers embracing HTML5 and JavaScript as the standard deployment model for web apps rather than coding to browser quirks or throwing Flash-driven menus everywhere.

Now fill in the blank: Reinventing a technology is a great way to [ ____ ]

Even desultory readers should notice the biased presentation of choices: Three phrases of cliched meaninglessness and one possibly-too-subtle allusion to the dark times of an almost two decade-old past. It wasn’t until the late 90’s when a Rolling Stones‘ song first graced a t.v. commercial. Their song, “Start Me Up,” played over an ad (this is the dark times part) for Microsoft — the company that created the “embrace, extend, and extinguish” strategy to give Internet Explorer dominance in the browser market.

One great way to embrace and extend is to provide New! Cool! features that work great in one browser, but degrade or don’t exist in any other. A new scripting language is one way to do that, even if it’s as useful as VBDript. To be fair, plugins like Flash and Silverlight need to be pulled into this category. Java counts as cross-platform, but when was the last time you used a Java app in your browser? When was the last time a hacker did? (Hint: Probably more recently than you think.)12

Stepping outside of boundaries isn’t always bad. After all, a foundation of the modern web, the XMLHttpRequest object, arose from an IE-only extension.13 A detraction further compounded by requiring ActiveX. XHR’s adoption into the W3C standards was both acknowledgement of the feature’s widely recognized utility as well as the desire to make the feature equal among all browsers.

All You Need is <!doctype html>

Maybe everything doesn’t have to go into the browser. Yes, I can think of a few reasons why App stores (trademarked ones and not) equally threaten divergence and uncrossable platforms. But at least consider the app+device duo has a better security model than the browser. The browser’s model is mostly a Same Origin Policy affair, whereas you ostensibly have to approve and acknowledge certain behaviors for your sandboxed app.

The worst thing you can do is sign up to the WebKit developers list in order to spam it with flaming, troll-ridden diatribes for or against JavaDart. Let engineers more involved in the browser sausage making sort it out with their constructive conversation.

The best thing you can do is continue to create cool web sites with technology that works in every browser: HTML5 and JavaScript. Let the annoying litter of the Web’s past (pop-up windows, scrolling marquees, even Flash has a terminal diagnosis by now) scatter in what the Scorpions so awesomely sung as the “Wind of Change.”


Published by Mike Shema

Mike works with product security and DevSecOps teams to build safer applications. He also writes about information security, with an infusion of references to music (80s), sci-fi (apocalyptic), and horror (spooky) to keep the topics entertaining. He hosts the Application Security Weekly podcast.

%d bloggers like this: