Nearly all of the security and privacy problems we have with the World Wide Web today was because it went from a content-delivery platform (with deliberately limited interactivity) to a fairly complete app-delivery platform.

Javascript isn't the new Java. Web browsers are the new Java.

I would be very much in favor of a way to draw a line between "content" on the web and "apps" delivered by the web. I don't know what form that would take. But it will probably never happen because the FAANGs that run the web these days are actively opposed to any way to deliver content over the web that doesn't also let them include apps to track your activities online.

Maybe some kind of plain text machine-parsable-but-human-readable "protocol" that "applications" could use to specify the "content type" of some "resource" they want to "get"...

That line was blurred long ago, and the distinction between an "app" and a "page" is irrelevant today. Even news articles these days sometimes contain interactive elements like WebGL visualizations.

Personally, even though every new API inevitably gets abused, I don't think we should throw the baby out with the bathwater because there are tons of legitimate uses here. (In fact, I'm currently building something as a side project that would benefit greatly from these file system APIs.) My own worry is about complexity creep—specifically, the number of things I'll be expected to know and keep track of as a frontend engineer in another 10 years. But that's probably just me getting older. :)

We already have this system.

> foobar.com wants to access your location. [Block] [Allow]

> foobar.com wants to access your camera and microphone. [Block] [Allow]

> foobar.com wants to send push notifications. [Block] [Allow]

Ideally these prompts are presented above the line of death, and clicking “Block” prevents future prompts, so you can’t get spammed.

Of course users click on these prompts without caring. Of course websites may try to unnecessarily block access if you dont agree. Of course websites make their own obviously fake prompts so you click “block” and then they present the obviously fake prompt again just to waste your time.

But users already download and open random files and grant them admin privileges, and websites already spam you. The current notification system works and extending it to WebGPU and file systems is natural.

Exactly my thoughts when the pitchforks come out over advances in browser tech. Arguments denouncing such progress eventually leave me feeling like banning personal computers and only allow communication via physical paper would be the only way to satisfy the nay-sayers.

If web apps are fully sandboxed by default as today, then presenting the user a UI for a web page wanting to upgrade to a (still sandboxed permissionless) web app seems like a waste of the user's attention. Why should the user see a prompt just because a webpage wants to do some WebGL visualization (that doesn't put any of the user's data at risk)? It seems like the perfect recipe to lead to user apathy to permission dialogs and users clicking to allow permissions automatically, because most of the dialogs are for nothing, but then the user may be taught to click through actual important dialogs just as automatically. I'm reminded of when IE used to warn the user about secure connections.

> If web apps are fully sandboxed by default

Are they, though?

If they were, then tracking users via third-party cookies and other resources wouldn't be possible. Nor would it be possible for a web site in my browser to suddenly start taking up all of my CPU/RAM due to a programming error or malicious site such as a crypto-miner. For the relatively little isolation that does happen, sandbox-escape vulnerabilities seem to be getting discovered all the time.

Also, as a technical user, I want more control over what web sites can do with my computer than a non-technical user might.

The more holes you poke in a sandbox, the worse a sandbox it is.

Third-party cookies seem to be on the way out thankfully. I agree that there should be a permission necessary (or at least some much better heuristic) for allowing a webpage to use too much CPU/memory.

> Why should the user see a prompt just because a webpage wants to do some WebGL visualization (that doesn't put any of the user's data at risk)?

Probably because there's no way to say that it "doesn't put any of the user's data at risk". WebGL has been abused for browser fingerprinting which itself puts user's privacy at risk, but it also has a long history of very nasty vulnerabilities and exploits. It's been fully disabled in my browser for years because of the security issues.

Web browsers are not bulletproof. Their sandboxing implementations depend on OS features, which vary. Check a CVE database for your favorite browser and you'll find plenty of historic holes to dig through.

WebGL is one of the biggest fingerprinting vectors on the modern Web platform, and expands browser attack surface significantly. Most webpages should absolutely not have access to privileges like this.

But WebGL does put the users data at risk. WebGL is an attack vector for fingerprinting which is data about the user, that gets correlated with other data about the user to stalk them.

> so every "web page" has all the capabilities of a "web app" by default

Hasn't many (if not most?) major expansions of capabilities been behind a permissions prompt, making them not available to every web page by default?