Google announces brand new web browser core, so does Mozilla

Filed Under: Featured, Firefox, Google, Google Chrome

One day, two new rendering engines announced, three browsers involved!

When you wait ages for a bus, and then three come along at once, it's not a coincidence: it's a side-effect of queuing and traffic lights.

But what about when three browser vendors make announcements on the same day?

Robust competition? Serendipity? Coincidence? Or a bit of all of them?

Google announced Blink, a fork of the Webkit browser that aims to build a smaller and safer rendering platform based on what Google is unashamedly referring to as a "healthier codebase."

Opera, which is retiring its own rendering engine Presto and replacing its browser core with Chromium, the open-source flavour of Google Chrome, indirectly announced its commitment to the Blink-based flavour of Chromium.

And Mozilla announced Servo, or, more accurately, announced an ARM port of its experimental browser engine Servo, written in its new and experimental programming language Rust.

→ The ARM processor is the CPU in most Android devices in the marketplace. Samsung, which sells a wide range of Android offerings, including phones, tablets, and phablets (giant phones or tiny tablets depending on whether they're against your ear or on your lap) is partnering with Mozilla in the Servo-on-ARM project.

A new rendering engine has at least one similarity with marriage, namely that it is not an undertaking to be entered into lightly.

A web browser is not just an HTML parser but also a CSS handler, a JavaScript interpreter, a DOM manager, a page layout engine, and an image processor, as well as a programming platform in its own right.

Modern browsers support all manner of third-party add-ons, extensions and plugins that typically let you customise almost everything to do with the browser's look, feel, and feature set. (Java applets, anyone? Flash videos? Audio playback? 3D modelling? Interactive games?)

Both projects, Blink and Servo, are forward-looking, by which I mean they aren't finished products that you can download and install right now.

Google talks about "the next 12 months" in its Developer FAQ, and talks about the "next generation" of web apps.

Mozilla's posting refers to "the coming year", and admits that both Rust and Servo are "early stage projects."

Sceptics, therefore, may very well write off both announcements as little more than positioning statements.

Indeed, their coincidental arrival on the same day will probably convince the real cynics that the announcements had more to do with the browser makers' marketing departments than with engineering.

Don't be too judgmental, though.

Mozilla's post comes from Brendan Eich, Mozilla CTO and well-respected inventor of JavaScript.

Google's was written by Adam Barth, who's a software engineer and security researcher.

And both companies talk prominently about security and simplicity as a motivator for the projects:

Chromium uses a different multi-process architecture than other WebKit-based browsers, and supporting multiple architectures over the years has led to increasing complexity for both the WebKit and Chromium projects...

[Rust] is *safe by default*, preventing entire classes of memory management errors that lead to crashes and security vulnerabilities.

It's pleasing to see this sort of language prominent in new project announcements.

Google's writeup, indeed, explicitly talks about how many lines of code Mountain View expects to be able to remove from the Webkit codebase, which is a refreshing change from product announcements that talk up all the features that have been added since the last release.

Web developers might not feel quite as enthusiastic as I do, of course, because a brand new rendering engine means a brand new list of browser-specific pecadillos, a need for yet more special-case code tweaks, and a whole new environment to test.

Nevertheless, the principle of hybrid vigour suggests that breeding the next decade's browsers from a broader range of genetic starting material is unlikely to do any harm.

I think we should welcome these announcements as evidence that at least part of the battle in today's browser wars isn't vendor against vendor, but instead a collective fight against cybercriminality.

What do you think? Have your say in the comments below...

, , , , , , , , , ,

You might like

5 Responses to Google announces brand new web browser core, so does Mozilla

  1. pogue972 · 912 days ago

    I very much like the fact that Chrome will be making the browser lighter and more efficient. But, I'm very disappointed in Opera for dropping their great Presto engine. I really wish they would release it as an open source project so other developers can use it and work on it.

  2. JimboC_Security · 912 days ago

    I am really glad to see Opera, Mozilla and Google switching to new rendering engines since us as users should benefit from a faster, more standards compliant and secure experience.

    With both Mozilla and Google building in security from the beginning, this is a potentially very significant change. It is very similar to Microsoft beginning its Trustworthy Computing Initiative in January 2002 (which later led to the creation of the Secure Development Lifecycle (SDL)). The SDLs purpose is to include security and privacy throughout the entire development lifecycle of a software product.

    One of the first widespread results of this process Windows XP SP2 in August 2004 and every subsequent version of Windows, Windows Server and Office (as well as many other Microsoft products) have had security built into every stage of their development. Adobe followed Microsoft’s lead June 2009 with their introduction of the Secure Product LifeCycle - SPLC):

    • spryte · 911 days ago

      "...more standards compliant..."?!?!

      Opera was the only browser that demanded W3C compliance and now they've given up on that.
      Web designers/developers love long as its theirs and someone else's.

  3. JimboC_Security · 912 days ago

    I am not saying that this is the primary motivation of all of the browser vendors in this article to create new rendering engines but writing code from the very beginning can have big security benefits. This is what Google done with Chrome OS and it did not suffer any total compromise during the recent Pwnium 3.

    In addition, since Google is removing code from its rendering engine, just think of all of the potential future vulnerabilities that it has removed along with it. In a similar vein Mozilla is also building in security from the beginning that mitigates memory management errors (especially significant due to the recent popularity of use after free vulnerabilities). This should mean a lot less security updates to be installing and will lead to an interesting Pwn2Own contest next year.

    However it is not all good news, as Paul pointed out in his article, web developers are going to have to get to grips with how these new engines work and this will mean a lot of extra testing. Perhaps since standards compliance is much more rigorously adhered to in recent times, this should not be too difficult and hopefully some of the code for one browser will partially or completely work in another.

    Thank you.

  4. Nigel · 911 days ago seems the switch to Servo might also affect at least one other browser---namely, SeaMonkey---and possibly a fourth, the OS X-only Camino browser. Both browsers currently run on Mozilla's Gecko rendering engine.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog