from Hacker News

Direct Sockets API in Chrome 131

by michaelkrem on 11/1/24, 11:35 PM with 159 comments

  • by modeless on 11/2/24, 2:08 AM

    I think a lot of people don't realize it's possible to use UDP in browsers today with WebRTC DataChannel. I have a demo of multiplayer Quake III using peer-to-peer UDP here: https://thelongestyard.link/

    Direct sockets will have their uses for compatibility with existing applications, but it's possible to do almost any kind of networking you want on the web if you control both sides of the connection.

  • by chocolatkey on 11/2/24, 12:59 AM

    When reading https://github.com/WICG/direct-sockets/blob/main/docs%2Fexpl..., it's noted this is part of the "isolated web apps" proposal: https://github.com/WICG/isolated-web-apps/blob/main/README.m... , which is important context because the obvious reaction to this is the security nightmare

  • by chrisvenum on 11/2/24, 3:57 AM

    I found this issue indicating a bad idea for end user safety:

    https://github.com/mozilla/standards-positions/issues/431

  • by jeswin on 11/2/24, 4:49 AM

    I prefer web apps to native apps any day. However, web apps are limited by what they can do.

    But what they can do is not consistent - for example, it can take your picture and listen to your microphone if you give permissions; but it can't open a socket. Another example: Chrome came out with an File System Access API [2] in August; it's fantastic (I am using it) and it allows a class of native apps to be replaced by Web Apps. As a user, I don't mind having to jump through hoops (as a user) and giant warning screens to accept that permission - but I want this ability on the Web Platform.

    For Web Apps to be able to complete with native apps, we need more flexibility Mozilla. [1]

    [1]: https://mozilla.github.io/standards-positions/ [2]: https://developer.chrome.com/docs/capabilities/web-apis/file...

  • by Uptrenda on 11/2/24, 2:04 PM

    I saw this proposal years ago now and was initially excited about it. But seeing how people envisioned the APIs, usage, etc, made me realize that it was already too locked down. Being able to have something that ran on any browser is the core benefit here. I get that there are security concerns but unfortunately everyone who worked on this was too paranoid and dismissive to design something open (yet secure.) And that's where the proposal is today. A niche feature that might as well just be regular sockets on the desktop. 0/10

  • by mlhpdx on 11/2/24, 3:57 AM

    I’m excited, and anticipate some interesting innovation once browser applications can “talk UDP”. It’s a long time in the making. Gaming isn’t the end of it — being able to communicate with local network services (hardware) without involving an API intervening is very attractive.

  • by Spivak on 11/2/24, 3:43 AM

    Anything that moves the web closer to its natural end state— the J(S)VM is a win in my book. Making web apps a formally separate thing from pages might do some good for the web overall. We could start thinking about taking away features from the page side.

  • by fhdsgbbcaA on 11/2/24, 3:31 AM

    Great fingerprinting vector. Expect nothing less from Google.

  • by hipadev23 on 11/2/24, 7:31 AM

    What about WebTransport? I thought that was the http/3 upgrade to WebSockets that supported unreliable and out-of-order messaging

  • by troupo on 11/2/24, 9:35 AM

    Status of specification: "It is not a W3C Standard nor is it on the W3C Standards Track."

    Status in Chrome: shipping in 131

    Expect people claiming this is a vital standard that Apple is not implementing because they don't want web apps to compete with App Store. Also expect sites like https://whatpwacando.today/ uncritically just include this

  • by badgersnake on 11/2/24, 6:12 PM

    It’s pretty clear Google are building an operating system, not a browser.

  • by bloomingkales on 11/2/24, 2:44 AM

    Can a browser run a web server with this?

  • by arzig on 11/2/24, 11:46 AM

    The inner platform effect intensifies.

  • by westurner on 11/2/24, 8:59 PM

    From "Chrome 130: Direct Sockets API" (2024-09) https://news.ycombinator.com/item?id=41418718 :

    > I can understand FF's position on Direct Sockets [...] Without support for Direct Sockets in Firefox, developers have JSONP, HTTP, WebSockets, and WebRTC.

    > Typically today, a user must agree to install a package that uses L3 sockets before they're using sockets other than DNS, HTTP, and mDNS. HTTP Signed Exchanges is one way to sign webapps.

    But HTTP Signed Exchanges is cancelled, so arbitrary code with sockets if one ad network?

    ...

    > Mozilla's position is that Direct Sockets would be unsafe and inconsiderate given existing cross-origin expectations FWIU: https://github.com/mozilla/standards-positions/issues/431

    > Direct Sockets API > Permissions Policy: https://wicg.github.io/direct-sockets/#permissions-policy

    > docs/explainer.md >> Security Considerations : https://github.com/WICG/direct-sockets/blob/main/docs/explai...

  • by demarq on 11/2/24, 7:04 PM

    Something tells me this is more to do with a product Google wants to launch rather than a genuine attempt to further the web.

    I’ll keep my eyes on this one, see where we are in a year

  • by FpUser on 11/2/24, 4:01 PM

    All nice and welcome. At what point browser becomes full blown OS with the same functionality and associated vulnerabilities yet still less performant as it sites on top of other OS and goes through more layers. And of course ran and driven by one of the largest privacy invader and spammer of the world

  • by revskill on 11/2/24, 3:08 PM

    That means we can connect directly to remote Postgres server from web browser ?

  • by kureikain on 11/2/24, 6:27 AM

    This means that we can finally do gRPC directly from browser.

  • by Asmod4n on 11/2/24, 12:12 PM

    Thank god they plan to limit this to electron type apps.

  • by sabbaticaldev on 11/2/24, 12:16 PM

    so with this I would be able to create a server in my desktop web app and sync all my devices using webrtc

  • by hexo on 11/2/24, 2:39 PM

    Game over for security.

  • by tjoff on 11/2/24, 7:33 AM

    Great, so now a mis-click and your browser will have a field day infecting your printer, coffee machine and all the other crap that was previously shielded by NAT and/or a firewall.

  • by grishka on 11/2/24, 6:46 PM

    Can we please stop this feature creep in browsers already?

  • by pjmlp on 11/2/24, 11:28 AM

    Yet another small step into ChromeOS take over.

  • by huqedato on 11/2/24, 8:38 AM

    Just now, when I have only recently switched permanently to Firefox...

  • by Jiahang on 11/2/24, 2:59 AM

    nice!

  • by xenator on 11/2/24, 2:35 AM

    Can't wait to see it working.