ServiceWorkers are scoped to the basename of the path they are served from, so you could only intercept a small subset of all possible CDN URLs. In the example, this would be resources under `/hads-ak-xat1/t45.1600-2/`. But you probably can't create a ServiceWorker here anyways as you need a route that returns valid Javascript of your choosing with a Content-Type `text/javascript`. Usually when I've seen an opportunity for ServiceWorker exploits it's due to a JSONP endpoint that does not sanitize its callback parameter.
If you could create a valid ServiceWorker at this route, and load it inside some same-domain HTML page, then you could theoretically use it to intercept and rewrite responses to any resources on the domain under its path. Depending on how you rewrite the response you might be able to get the browser to cache the rewritten resource, which could then get used by other domains. Theoretically. I have never tested this :)
The default scope is the basename, but you can customize it, can't you?
As I said, the text/javascript Content-Type is another one the CDN is willing to serve if you change the extension. I'm silly and didn't think of the fact that unlike HTML, a JS file can't be random binary garbage with a payload embedded somewhere in the middle. However, I am not sure that some allowed image format doesn't allow putting, say, // close enough to the beginning of the file that it will work. It seems like it might be possible with the JPEG header, but of course it depends on the post processing done. (Or maybe there is some way to upload non-images?)
It would be more interesting if an arbitrary website could do this, but they prevent that attack by checking the Origin header on the initial websocket request.
Out of curiosity, did you actually replace the Browser app, or did you just install a new one? If the stock Browser is still installed, you may consider the fact that it can probably be launched from Chrome with a specific URL intent.
> Yes, there is more memory available than before, but that doesn't mean we should just waste it for useless stuff.
I disagree. I think the point is that it's not useless, by its own existence. It saves dev time (which allows more - and better! - programs to be built), it allows richer features and interactions, it lowers the barrier to entry for maintenance work, and most of all prevents constant re-inventing/implementing the wheel, which is reflected to the user in a lack of many common types of bugs, annoyances, and accessibility issues.
I'd argue against it saving dev time. See my above comment, HTML+CSS is not the fastest way to design an app. If it is all you know then yes, it is faster, but inherently it is not a /good/ system. It gets worse even faster if you add JS to the mix!
I think it's a great system. It's surely the fastest way for me personally, in spite of it not being "all I know". With Bootstrap or Foundation, you need very little code to make something look nice, there is great documentation and lots of online resources.
If I want to make a UI in C#, I can pull up WinForms and use one language. If I want to have nice separation of style from code, I can use XAML (which is purpose designed for making layouts easy) and be using 2 purposefully technologies.
There is a lot more mental overhead to HTML + CSS + JS (and then the DOM somewhere) than to just type in
Button accept = new Button("Accept!", new size(100, 45));
form.Add(button, 300, 50);
If I want to style my button, I set some properties on the button.
(And if I want to use XAML, I send a file off to a designer who pops it into a purpose built XAML editor who can play around with the styling and layout to their heart's content!)
The thing is, web tech was designed for a non-interactive page based model, and then interactivity was added.
Then someone wanted curved boarders, and what had to be done to make curved borders was rather nasty. So after a good long time web standards caught up with fashion and an ability to add curved borders was added to CSS.
And damn you to the neither regions of hell if you want squiggly borders (Back to nasty scaling PNGs, or a few thousand 1 pixel DIVs!) However, I'm sure if those do come into style and enough people complain, that squiggly borders will also be added to the spec.
In comparison, a real UI framework lets you override the Paint function and do whatever you want.
On that note, about 2 quarters of freshman Java will have students be able to create custom UI widgets that do whatever is desired.
For someone who already knows programming? Point them at OnPaint, "here override it, draw whatever you want, have fun!" The set of concepts needed to modern UI development on the desktop is tiny. This is a problem space that has had three decades of effort put into making it simple and easy.
Again, want separation of concerns? About 2 hours of XAML will have someone making custom widgets, in fact that is the entire way XAML works! (It was sort of a mind twist for me that the easiest way to make an image button in XAML was not to override an OnPaint method and draw an icon, but rather place the XML nodes for an Icon and a Button together!)
But take someone that knows programming, well first you have to introduce them to CSS, which is a bunch of fields that you have to memorize (or rather just keep looking up) with a number of different types of units supported (none of which do exactly what you want, but I'll grant that is the case for all resolution independent UIs). Then of course they get to learn the newest flavor of HTML (semantic everything, don't you dare use <bold>). Then you get to show them JavaScript (Packages? Namespaces? A language in which imports can silently override my variables causing havoc and dismay? Wow, C's #DEFINE is considered harmful, but this is a whole new level.)
But hey thankfully CSS3 makes 3 box layouts no longer an exercise in pain! So that is a good thing. (I've been using flexible layouts that auto adjust the positioning and sizing of elements since the late 90s, it is nice that the web finally caught up by introducing yet another boxing model!)
Of course the final lesson is "oh and by the way this all sucks so you really want to use a third party JavaScript UI framework. Also CSS is sort of painful so you may want to use a preprocessor. Yeah just shove your content in the middle of your client side generated DIVs. Well yes generating the exact same page on every visitors PC is sort of silly and a huge thermodynamic waste, but it is currently in style so stop complaining about it. Yes I know the comments section takes 10 seconds to load. What do you mean BBSs on a 9600 baud modem responded faster?"
(Edit: Of course the last bit about responsiveness isn't relevant to using a web stack for client side apps, it is just me complaining about the poor state of the web in general)
> If I want to style my button, I set some properties on the button.
You cannot be serious. A 1000+ line long setup() method that creates a ton of one-off elements, sets a million properties, and saves them all as instance variables is in no way superior to using some XML to structure your elements, and then a separate, extracted layer for styling. I've done the procedural shit before, in Java, UIKit, Cocoa, you name it. There's just no way you can actually think that is better. Presentational separation is a good thing. (btw you can write your UI in the same procedural way in Javascript if you think it is superior/are a masochist).
The rest of your comment is very rambling and does not really have a point so I will hold off on replying to it. I write polished, pixel-perfect, cross-platform interfaces, and HTML/CSS is the best tool I have found for the job. Nobody will ever say it is perfect of course, but IMHO it beats the hell out of WinForms! You are right, it is a lot to learn for a 1st year developer, but you are going to get a shitty UI out of a 1st year developer, who cares?
> You cannot be serious. A 1000+ line long setup() method that creates a ton of one-off elements, sets a million properties, and saves them all as instance variables is in no way superior to using some XML to structure your elements, and then a separate, extracted layer for styling. I've done the procedural shit before, in Java, UIKit, Cocoa, you name it. There's just no way you can actually think that is better. Presentational separation is a good thing. (btw you can write your UI in the same procedural way in Javascript if you think it is superior/are a masochist).
Depends what I am doing.
Shipping a large scale commercial app with thousands of UI elements? I sure as heck pull everything out.
But if I am making an app that has a dozen UI elements and maybe a couple of screens in total? It isn't worth my time to switch tabs between my code and an XML file.
> I write polished, pixel-perfect, cross-platform interfaces, and HTML/CSS is the best tool I have found for the job.
Pixel perfect is trivial in any system. Winforms can do pixel perfect, and has a damn hard time doing anything else!
A UI that scales across screen sizes? A UI that auto adjusts itself as needed? You can do it in CSS (many websites do!) but isn't fun.
And I do wonder how you found CSS, a layout language which until recently couldn't even do simple math, to be the best tool for creating UIs.
There have been decent CSS pre-processors out for awhile, sure, those work. If you do parts of your layout using JavaScript at run time, hey, that can also work.
Isn't inefficient coding, which is what we're discussing really, possibly needlessly forcing the specifications of hardware to be more and more powerful rather than getting the best out of the hardware we have now by better coding?
I rather expect causality flows the other way: coding is getting less efficient because hardware is getting faster. Or as the old saying goes, "Intel giveth, and Microsoft taketh away."
Adding HTML to the GUI coding is re-inveting the wheel. There are native toolkits for UI, there are crossplatform UI libraries for a reason. They work, they are fast.
Most desktop applications have a terrible interface compared to modern websites. That wouldn't be the case if the UI libraries were half as good as some people here claim.
Most new desktop applications have a really crappy interface. Mostly because they are trying to copy some new homepage layout and instead is missing lots of information and buttons and fading in/out text and buttons instead of letting me click them directly. Not to mention taking several seconds to load a form that on my 8MHz Atari would have loaded instantly. Yes I'm old, get off my lawn!
Desktop apps from the late 1980s to around 2004 or so were very usable. There were clear UI standards in place for most platforms, and thus a high degree of consistency between applications, even from different vendors.
Even Java's AWT, which came at the tail end of this and pretty much only targeted UI functionality that was common between different UI systems, could create desktop apps that were and are much more usable than the inconsistent web-inspired desktop apps we deal with today.
Let me add myself to the chorus of people standing up for native desktop applications. Sure, there are bad and good examples of both desktop and web UIs. But whats so horrendous about the original Mac OS interface? What was so bad about Gnome 2?
> Apple wants to relegate websites to second-class status on their popular computers, and exercises viewpoint censorship on what “apps” they allow in their “app store”.
I don't remember it that way all. Does anyone else? From what I remember, there was a very heavy consumer demand for the App store, meanwhile Apple was telling everyone just to make web apps. They actively developed WebKit into a cutting-edge, standards-oriented, developer-friendly browser. I don't see how you could say they wanted to "relegate websites to second-class status".
Originally Apple did tell everyone just to make web apps. Renegade hackers made native apps for iOS anyway, creating consumer demand, and Apple relented. All this happened before I wrote that message in 2011. By 2011 webapps were already second-class. (Not as second-class as they are on Android, though!)
That seems to me now like it was just a ruse to buy them time. They went on to hamstrung the browser from attaining native performance and never added all the direct hardware features you could get at with apps - which is what they would have done if they really intended the browser to be an app platform.
Yeah that was when the Iphone was first released in 2007, continued for a while. But by 2011, the app store was already becoming a behemoth, a huge source of profits for Apple, an effective content-curating tool and a close Apple-unique marketplace that they could compare to the Playstore and say 'we've got more and better content, get an iOS device'.
In other words, by 2011 nobody at Apple was telling developers 'web apps instead of native please'.
Meanwhile, in the past years they did effectively cut things like WebGL on iOS because it was a threat to native app performance in the browser. (iOS 8 finally, long overdue, changed this, now that the app store is there to stay.) Or say blocking Nitro on anything but Safari, say Chrome, not a problem for regular websites, but a problem for JS heavy web apps.
That's a design/ideology conflict and not something that can be fixed. On OS X, you can leave a webpage open, and it must be open in order for the notifications to be sent. On iOS, you cannot (terminated whenever there is memory pressure). Push notifications are just way beyond what a website should be able to do, and scheduled ones aren't really all that useful except for a handful of apps.
Can you list some native UI controls that you'd like to use but can't recreate in HTML? I am writing a similar framework and would like to know the use-cases for doing this.
You can recreate almost anything in css/html but you'd have to write a different style for each OS yourself, and it will never match the actual "feel" of the UI. It'll be a little off.
Also, for example Mac OS X has lots of little widgets like the share button.
Maybe someone could make a Bootstrap-like project for these kinds of things?
I recently spent an afternoon trying to get a webapp to accept drag and drop emails from outlook. I didn't manage. I am considering making a native app to interact.
/bin/sh depends on the system. It might be busybox or a minimal shell (this is common on embedded devices). On some systems like OSX and I think CentOS /bin/sh is just bash. You can check with `/bin/sh --version`.
I didn't test back this far; I should have, it's about 10% of android users. I tested back to 4.0 (not that 4.0-4.1.2 being vulnerable matters much, since you can get remote code execution easily through the addJavascriptInterface vulnerability). I tried out 2.1 in the emulator just now and got the same results as you, so it looks like 2.x is not affected by this.
If you could create a valid ServiceWorker at this route, and load it inside some same-domain HTML page, then you could theoretically use it to intercept and rewrite responses to any resources on the domain under its path. Depending on how you rewrite the response you might be able to get the browser to cache the rewritten resource, which could then get used by other domains. Theoretically. I have never tested this :)