The Web is a Series of Hacks

July 2014

This post is a draft. Content may be incomplete or missing.

Brain Dump

Let’s take a look back at where we came from and where we are

  • HTML was TeX with hyperlinks. Do a compare/contrast table. Point out HTML’s key differentiators
  • CSS was the answer for people who cared about data presentation, even though HTML (like TeX) was designed to fundamentally disregard data presentation
  • JavaScript was the answer for people who wanted to manipulate the document structure dynamically, without page loads.
  • When did HTTP add verbs like PUT? I wonder if even that was a concession to people who wanted to misuse HTML
  • One good reason JavaScript wasn’t type-safe or object-oriented: it was supposed to be a toy scripting language that kind of looked like Java
  • What makes JavaScript even more bizarre is it’s the first concession for people who want to turn the browser into an interpreter, rather than a tex compiler
  • HTML+CSS+JS are slowly becoming more application-friendly, but they’re fundamentally what they always were
  • Server-side languages are – hang on, there are no server-side languages
  • Server-side libraries are built on one fundamental principle: string concatenation. Wanna generate some HTML? Insert some CSS? Create some JavaScript literals? Query a database?
  • Most of the security problems in webapps stem from all this concatenation – it puts injection vulnerabilities everywhere. String validation and escaping is monkey-patching. Why don’t we separate data from logic?
  • The other security problems stem from the fact that the HTML stack was never meant to be a secure system that can run government systems and world banks – it was a document library with convenient inter-document references!