logo

blog

My website can't be that messy, right? git clone https://hacktivis.me/git/blog.git

fqa.shtml (10709B)


  1. <!DOCTYPE html>
  2. <html xmlns="http://www.w3.org/1999/xhtml" lang="en">
  3. <head>
  4. <!--#include file="/templates/head.shtml" -->
  5. <title>BadWolf FQA — lanodan’s cyber-home</title>
  6. </head>
  7. <body>
  8. <!--#include file="/templates/en/nav.shtml" -->
  9. <main>
  10. <!--#include file="/projects/badwolf/nav.shtml" -->
  11. <h1>BadWolf Frequently Questioned Answers</h1>
  12. <h2 id="blink"><a href="#blink">§</a> But isn't WebKit basically Blink/Chromium?</h2>
  13. <p>Nah, Google pretty much never really used WebKit without patching it and they hard forked it around 2010, so right when HTML5 and related arrived, thus helping the gap form, with differencies like:<ul>
  14. <li>Replacing JavaScriptCore to V8</li>
  15. <li>Removing the <code>-webkit-*</code> prefixes in CSS</li>
  16. <li>Moving the plugin API from Netscape Plugin API to Pepper Plugin API</li>
  17. <li>Creating their own API for extensions</li>
  18. <li>Tracking and concerning APIs like WebUSB, which on the other hand <a href="https://webkit.org/tracking-prevention/">WebKit stands against</a></li>
  19. <li>Shoving so much code in it that it ends up being comparable to an operating system but with weekly releases</li>
  20. </ul></p>
  21. <p>Oh and Blink basically doesn't exists in a standalone manner, so browsers like Opera or Edge are based on chromium rather than just mere Blink.</p>
  22. <cite>Doctor Who (2005), Season 3, Episode 10 [~ 00:33]</cite>
  23. <blockquote>
  24. <p>Don't blink. Don't even blink. Blink and you're dead. They are fast, faster than you could believe, don't turn your back, don't look away, and don't blink.</p>
  25. <p>Good luck.</p>
  26. </blockquote>
  27. <h2 id="security"><a href="#security">§</a> Security</h2>
  28. <p>In the alternative browsers scene, actual security/privacy based on source code and programs architecture, rather than pure (dis)belief of trust is a major catastrophy and the internet commenters gets it wrong almost all the time.</p>
  29. <ul>
  30. <li>Since mozembed/XULRunner's death (~2015) most firefox-based browsers never get security fixes on time, specially the meme ones (Waterfox, Palemoon, Basilisk, GNU IceCat, …) and they tend to add security issues. Only exception is the <a href="https://www.torproject.org/">Tor Browser</a>, which I would highly recommend using.</li>
  31. <li>Mozilla likes to install blobs (EME, Google adb, OpenH264 in a way) and ask for backdoors, remember Firefox Study that was advertised to patch your browser when they failed the basic management of renewing a certificate for the second time and where you ended up with all your addons disabled? (except sideloaded ones but that feature got removed because of broken operating systems such as Microsoft Windows)</li>
  32. <li>QtWebKit has yet to make a release without already known security issues, this has been going on for years</li>
  33. <li>QtWebEngine is doomed to never get security fixes discovered in the Chromium Project (it's upstream) released on time since the releases are synchronised with the rest of Qt</li>
  34. <li>WebKit is basically the only engine out there that tries to reuse known good code from others rather than doing it's own code, which also means much easier audits</li>
  35. <li>Google, through the Chromium Project is the one pushing for a lot of dangerous APIs, stuff like EME, WebUSB, … are from them</li>
  36. </ul>
  37. <p>The GTK and WPE APIs of WebKit might not be very popular (hard to find numbers, GTK is on Unix desktops, WPE is on embeddeds), but WebKit has a good user share through Safari (20~30%, what was once Firefox's userbase, which is 7% and descending), which makes them audited by stuff like Google's Project Zero. Only reason I could see why internet commenters so often claims WebKit as insecure is because it's how they could execute exploits on Video Consoles, which in my opinion has more to do with their operating system (I got "root" on my Nintendo 3DS via the music player…) and update model (it's easier to push an exploit than update the system of a Nintendo 3DS).</p>
  38. <p>
  39. Now, on browsers that I would actually trust as secure rather than just believe them to be good enough? Well, for starters, the ones without any JavaScript, not that JavaScript is evil, it's a terrible language but there is a lot of those out there, the problem is that there is way too many dangerous APIs getting added and with barely enough protections.<br />
  40. Sadly a lot of websites requires JavaScript and you can't always get away from them. Good part? WebKit doesn't implements the APIs that can be security treatening and avoids anti-privacy ones, for example WebUSB got basically instantly rejected as dangerous.
  41. </p>
  42. <h2 id="adblocker"><a href="#adblocker">§</a> AdBlocker?</h2>
  43. <p>
  44. As mere JavaScript blocking isn't enough, BadWolf includes support for WebKit's content-filters, this allows to block unwanted content (ads, nagware, ...) directly into the engine.<br />
  45. The file is at <code>${XDG_CONFIG_HOME:-$HOME/.config}/badwolf/content-filters.json</code><br />
  46. For some introductory information about the format see: <a href="https://webkit.org/blog/3476/content-blockers-first-look/">Introduction to WebKit Content Blockers</a>, <a href="https://webkit.org/blog/4062/targeting-domains-with-content-blockers/">Targeting Domains with Content Blockers</a>, <a href="https://developer.apple.com/documentation/safariservices/creating_a_content_blocker">Creating a Content Blocker</a>.
  47. </p>
  48. <p>For a converter using AblockPlus-style filters, try: <a href="https://gitlab.com/eyeo/adblockplus/abp2blocklist">https://gitlab.com/eyeo/adblockplus/abp2blocklist</a></p>
  49. <p>For a ready-to-use file (that you should update periodically), try: <a href="https://easylist-downloads.adblockplus.org/easylist_min_content_blocker.json">https://easylist-downloads.adblockplus.org/easylist_min_content_blocker.json</a></p>
  50. <h2 id="privacylvl"><a href="#privacylvl">§</a> How good is it's privacy?</h2>
  51. <p>It's an in-between <a href="https://torproject.org/">Tor Browser</a> and your regular browser and much better than most other WebKitGTK browsers out there since day 1. Tor Browser stands for anonymity by having everyone get the same fingerprint over the Tor network. Badwolf is for when you don't use the tor network (for any reason) and thus need a more normal fingerprint depending on your region (ie. languages and timezones) while still having reasonable privacy.</p>
  52. <h2 id="web_compat"><a href="#webcompat">§</a> How good is it's web compatibility?</h2>
  53. <p>Outside of websites and webapps that are outright hostile to WebKit it's been doing pretty well, only time during 2020 that I launched another web browser it's <a href="https://lynx.invisible-island.net/">lynx</a> to get even less web or Firefox/Chromium for WebRTC things like BigBlueButton and Jitsi Meet (WebRTC should get there thanks to GStreamer).</p>
  54. <h2 id="multimedia"><a href="#multimedia">§</a> How do you play audio/video files?</h2>
  55. <p><em>*Sigh*</em> You'll need plugins for gstreamer, gentoo has a metapackage to help named <a href="https://repology.org/project/gstreamer:meta/versions">media-plugins/gst-plugins-meta</a>, I'm not aware of other distros/ports offering such a useful package, otherwise install at least those:
  56. <ul>
  57. <li><del><a href="https://repology.org/project/gstreamer:vaapi/versions">gst-plugins-vaapi</a>: For hardware video acceleration</del> Has been source of rendering issues, <a href="https://www.webkitgtk.org/2022/05/28/webkitgtk2.36.3-released.html">WebKitGTK 2.36.3+ stopped using it</a></li>
  58. <li><a href="https://repology.org/project/gstreamer:libav/versions">gst-plugins-libav</a>: For H.264 video decoding (uses ffmpeg)</li>
  59. <li><a href="https://repology.org/project/gstreamer:good/versions">gst-plugins-good</a>: See splits</li>
  60. <li><a href="https://repology.org/project/gstreamer:bad/versions">gst-plugins-bad</a>: See splits</li>
  61. <li><a href="https://repology.org/project/gstreamer:ugly/versions">gst-plugins-ugly</a>: See splits</li>
  62. </ul></p>
  63. <p>And if your distro does split gstreamer:
  64. <ul>
  65. <li><a href="https://repology.org/project/gstreamer:vpx/versions">gst-plugins-vpx</a> (gst-plugins-good) VP8/VP9 encoding/decoding</li>
  66. <li><a href="https://repology.org/project/gstreamer:hls/versions">gst-plugins-hls</a> (gst-plugins-bad) HTTP Live Streaming</li>
  67. <li><a href="https://repology.org/project/gstreamer:dash/versions">gst-plugins-dash</a> (gst-plugins-bad) MPEG-DASH streaming</li>
  68. <li><a href="https://repology.org/project/gstreamer:faad/versions">gst-plugins-faad</a> (gst-plugins-bad) AAC (common in MP4 videos) decoder</li>
  69. <li><a href="https://repology.org/project/gstreamer:opus/versions">gst-plugins-opus</a> (gst-plugins-base) Opus</li>
  70. <li><a href="https://repology.org/project/gstreamer:mpg123/versions">gst-plugins-mpg123</a> (gst-plugins-good) MP3 decoder</li>
  71. <li><a href="https://repology.org/project/gstreamer:modplug/versions">gst-plugins-modplug</a> (gst-plugins-bad) MOD/XM/… (soundtracker files) audio decoder</li>
  72. <li><a href="https://repology.org/project/gstreamer:webrtc/versions">gst-plugins-webrtc</a> (gst-plugins-bad) WebRTC (not used yet)</li>
  73. </ul></p>
  74. <p>Take a look at WebKit's <code>Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp</code> starting around line 250 to get a full list of the supported mime types.</p>
  75. <h2 id="search"><a href="#search">§</a> Search Engine support? (search entry)</h2>
  76. <p>No, I do not want to support/promote such tools until a good implementation appears (not looking for suggestions). Your own SmartBookmarks keywords (so like entering <code>wp lolcat</code> in the location entry to go to <a href="https://en.wikipedia.org/wiki/lolcat">Lolcat - Wikipedia</a>) are gonna be supported though.</p>
  77. <h2 id="vi"><a href="#vi">§</a> vi keybindings</h2>
  78. <p>Maybe in a branch / future config option if someone steps in but otherwise I'm not going to provide some half-assed keybindings (I do use vi editors but never it's style of keybindings outside of the editor)</p>
  79. <h2 id="footprint"><a href="#footprint">§</a> Ressource Usage</h2>
  80. <p>In my experience: CPU usage in pretty low, memory usage is about as high as others (me hyperusing the separated contexts doesn't help), disk usage is basically non-existant.</p>
  81. <h2 id="config"><a href="#config">§</a> Configuration</h2>
  82. <p>Most of the UI/UX stuff is already exposed via GTK and BadWolf's <code>interface.css</code> file. It's own configuration is gonna come once I find a reasonable way to have a plain-text config editable by a settings manager.</p>
  83. </main>
  84. <!--#include file="/templates/en/footer.shtml" -->
  85. </body>
  86. </html>