10 posts left…
Normal users want a subset of what the browser is capable of, but even more usability than what a browser comes with by default. If they can tie their browser in with Twitter, make it auto-log-in to every account they have and pipe in music from iTunes all at once, that’s a good day. While security people for the most part want a different subset of the browser, and want very few of the usability improvements that browsers are adding in. Unfortunately, we are also stuck with whatever everyone else wants, because we do have to use the same sites. And the worst part is the browsers weren’t designed with guys like Jeremiah in mind - they were designed with thoughts of people who had never used a computer before. As such the browsers are building on legacy software that needs to support other legacy software atop a very flexible architecture making it harder and harder to be secure over time.
As such, yes, Jeremiah is absolutely forced to have a less secure browsing experience because of Yandex and the 1000x other edge cases that we have been unable to break for fear of backlash. This includes breaking requests to localhost because of Google Desktop. This includes breaking cross zone RFC1918 requests because of legacy banking apps. All kinds of dumb things that should have never been built like that are causing us to be less secure, and until we’re willing to break the web (like with the CSS History hack fix that Mozilla championed) we’re going to be stuck with the least common denominator problem. I wish I had the answer, but I don’t.