> Anything you'd want to filter can be controlled directly via browser embedding APIs, without any vagaries or guesswork.
Then they'll already be immune to many exploits, great. You're not really arguing against my point here.
> I'm not sure what you mean here
Sorry. What I meant by webkit-specific was basically a bug that is in webkit but not a more general text or image rendering bug that affects the entire system.
> any properly encrypted messaging system requires the client to assume that any received message is completely attacker controlled
I disagree. Many messaging systems don't send html. If they do send raw html, for most of those apps it's not unreasonable to trust the server, because if the server is compromised they could just send a malicious update. So you only care about things that can make it through the system, which is a tiny percent of html, and renders 90% or whatever of web engine bugs unreachable.
> Even in these hypothetically constrained messaging and social media apps, if nothing else, often allow you to just view web content from within the app.
Now that is an app that is vulnerable! But only some do that, especially on desktop.
> What matters is how many users would be exposed, which is a function of the number of apps, the number of users of all of those apps, and the degree to which those apps are exposed to arbitrary content.
I agree. I just don't want to overstate the degree.
Then they'll already be immune to many exploits, great. You're not really arguing against my point here.
> I'm not sure what you mean here
Sorry. What I meant by webkit-specific was basically a bug that is in webkit but not a more general text or image rendering bug that affects the entire system.
> any properly encrypted messaging system requires the client to assume that any received message is completely attacker controlled
I disagree. Many messaging systems don't send html. If they do send raw html, for most of those apps it's not unreasonable to trust the server, because if the server is compromised they could just send a malicious update. So you only care about things that can make it through the system, which is a tiny percent of html, and renders 90% or whatever of web engine bugs unreachable.
> Even in these hypothetically constrained messaging and social media apps, if nothing else, often allow you to just view web content from within the app.
Now that is an app that is vulnerable! But only some do that, especially on desktop.
> What matters is how many users would be exposed, which is a function of the number of apps, the number of users of all of those apps, and the degree to which those apps are exposed to arbitrary content.
I agree. I just don't want to overstate the degree.