What a weird polemic. "With Google WebComponents here we mean the use of CustomElements and Shadow DOM, especially when used in combination, and in dynamically created document structures (e.g. using module loading/unloading and/or slotted elements). ... WebComponents used "in full" (i.e. dynamically) inherently creates complex web page structures that cannot be saved, archived or even displayed outside of the designated targeted browsers (primarily Google Chrome)."

It's a web API. Browsers implement it. Including Safari and FF. If the argument is that it's hard to implement and makes it harder for new browser implementations, the same could be said of new CSS features, other APIs like Web Audio, etc. Trying to brand Web Components as Google-only may have worked in the v0 prototype days in like 2014, but it's factually not the case today.

It's a web API, but it's a web API that requires development work to do, and Goanna (Pale Moon's pre-multiprocess, pre-all-the-things-that-make-modern-Firefox-good Gecko fork) would need to implement those APIs.

Just ran checksec on Pale Moon's Linux binary distribution - their binaries are built with no mitigations whatsoever. ASLR disabled, no stack canaries, no fortify.

This whole project appears to be a security disaster and nobody should use it.

The real security disaster on the modern web is commercial groups taking over setting standards and turning the web browser into an OS with all the security problems that entails.

The opposite is the case - web applications are one of the best things to happen, security-wise, in a long time.

Web applications are fully isolated and sandboxed, have fine-grained permissions, are easy to inspect, and the runtime is built with a modern threat model.

ChromeOS is probably the most secure desktop OS for this reason.

I want my browser to expose more functionality to web apps, because it means that I have to run less random unsandboxed code on my underlying OS.

> are easy to inspect

Until they're delivery vehicles for obfuscated wasm to canvas rendering applications. Then nothing of the "web as graph of hypertext documents" will be left.

There's been a lot of ridiculous FUD about "DRM will be used even for text!!1" (wrt. EME especially) and nothing of that sort has materialized.

(also, wasm changes nothing here, you could always obfuscate js just as much)

Flipboard made react canvas to render directly to canvas instead of the dom. https://github.com/Flipboard/react-canvas