Recently the two Internet giants -Google and Yahoo!- released very interesting products focused on breaking the limits imposed by browsers. Are they revamped versions of ActiveX?

Yahoo! Browser Plus

Last October Yahoo! opened its BrowserPlus platform. It is a portable plugin platform available for Firefox, Chrome, Internet Explorer and others. BrowserPlus plugins are made available to JavaScript in web apps using a very nice service concept that handles versioning and updates quite well.

Depending on a service is quite easy and installation of new services is painless for the user. Here’s a JavaScript snippet that will generate a Growl notification on Mac OS X and equivalent messages in other systems:

function notify(status){
  if(status.success)
    BrowserPlus.Notify.show({title: "Hello World", message: "Ola Mundo"}, function() {});
}

function require(_){
  BrowserPlus.require(
    {
      services:[{service: "Notify"}]
    },
    notify
  );
}

BrowserPlus.init({}, require);

The number of services made available by default is interesting for a new service, but currently only Yahoo! and partners can develop plugins/services. This is a huge problem but I believe it will be fixed by open-sourcing the platform next year. Meanwhile some interesting hacks are popping up.

The security is managed by the BrowserPlus platform. It won’t allow your JavaScript to perform unsafe operations or even touch files that were not selected explicitly by the user. The sad thing is that BrowserPlus is not free software yet, therefore only Yahoo! knows how secure it really is.

Google Native Client

Google released their NativeClient project. I understood from its research paper that NaCl creates a sandboxed environment for native code that can be attached to a browser. The sandbox works in two levels, trying to statically identify code that looks suspicious and filtering System Calls, allowing only those in a white list to be called by untrusted code. NaCl offers those features by patching gcc and the standard GNU toolset.

At first I could not understand why anyone would release something like that, we have lots of different virtual machines that can be integrated to browsers already and most of them offer security devices like those implemented in NaCl. But after reading the paper I now think that it does make some sense. The Virtual Machines I’m familiar with take some time to optimise code, even if you use a single VM instance for multiple applications each one would still take some warm-up time. Given that it is not likely that a user will spend more than several minutes in most web applications, it is not going to work for applications like Google Earth or sophisticated games.

The lack of buzz in the mainstream web development blogs and sites is, for me, a signal that NaCl won’t get much further before breaking the language barrier (i.e. gcc? wtf?). Most people building cool applications for the web are not really familiar with C or any native language. Hopefully it won’t be hard to come up with a Virtual Machine for JavaScript (a port of V8?) or other language. NaCl is in “research” state (is it Google’s word for Alpha?) and had a warm but still positive reaction in reference sites and blogs.

Is it a good idea? I still don’t known. NaCl is free software and runs with Firefox but I’m really not sure if it will get the necessary adoption rate. Chrome is not getting as popular as some hoped, probably because of the long time it is taking to get Linux and Mac versions out. Maybe the best would be to push for a W3C standard for NaCl after the research phase is concluded.

Concluding

The browser has always limited what companies like Yahoo! and Google can do. Some have tried to push the web to the edges but failed.

In the long run Yahoo! BrowserPlus and Google NativeClient are just patches in an old concept that should be completely refactored. Browsers should evolve from HTML viewers with scripting support to proper client-side application servers.

Anyway I like both ideas. BrowserPlus works and can be used by the average web developer without much fuss. Native Client is an experiment and may be great or just disappear like any other.

Just like some people are doing with Mozilla Ubiquity I think it is interesting to have something around BrowserPlus in a “labs” section of web apps right now. As for NaCl, I’d expect a JavaScript VM running on top of it very quickly.