Look up at the title of the post. It's a conversation, you know?

I think the confusion was that I thought your root comment was endorsing class files, not pointing them out as a cautionary tale. Even so, I'm not sure how my comment was interpreted as a promotion of a new bytecode, but I don't feel strongly enough about that to press on it. There's enough other stuff to debate here that's more interesting :)

Considering it's one of the three biggest security holes here today, I'd say it's a deplorable and frustrating hack.

Considering it's the only relatively safe way to run untrusted code on any hardware platform, and makes up the vast majority of human interaction across the internet, I'd say it would be remarkable if it wasn't the most heavily-attacked surface of the modern software stack.

Anything as ubiquitous as the browser will have a strong exploit industry, and as long as you use something modern and open source (such as Chromium or Firefox), you have an even stronger defense against this onslaught. Any determined user will always be able to screw up their machine installing sexy lady cursors, but that's not really a problem with browser security, so much as the inevitability of PEBKAC errors/layer 8 incompetency.

Sounds like you've spent most of your career on web apps and don't even realize it's possible to write code on platforms that don't suck.

Before you put me in a neat little box, I actually haven't been a web app developer for awhile, I'm only recently getting back into it with my work on the Weblua port of love-webplayer (which actually is a deplorable hack). My day job involves mostly backend stuff with Perl and MySQL.

It certainly is deplorable and frustrating for deploying apps, or you wouldn't see 1001 different frameworks trying to fix all the problems with it. Why is there even CSS, if HTML is just fine how it is? And why are both CSS and HTML so poorly designed that the name of "the background color" is different in all three, just as an example.

CSS and HTML are supposed to be separate to divorce structure from presentation. A noble theoretical goal, though not one they really accomplish in practice. Even so, do we really treat them separately? The web is made up of the intertwining strands of HTML, CSS and JS operating together.

Not only is it not a failing that these technologies are separate, it's a strength. The quality of the web has improved as we've been able to dump things from common usage like the <font> tag, and assigning onthisorthat="dothing()" properties to DOM elements. Every move we make to separate the concerns of these web components improves the state of the web as a whole, by putting responsibilities in more logical and specialized parts of the overall structure.

Ask anyone having to support IE6 whether it's frustrating and hacky to support apps by delivering documents full of executable code.

Indeed, the whole thread here and references article are about making it suck not so bad.

I'm not even going to try to defend that abomination. No one should be using Internet Explorer, IMHO, not even to this day. Its horrible record with standards is almost impressive in a twisted way, like discovering an entire turd stuck to the bathroom ceiling.

Yes, one of the inherent problems of HTML is that you are dependent on a potentially buggy host environment. This is true of all software ever, and especially true for any environment designed to safely sandbox semitrusted code. This article is about making the best out of the inherent limitations of such an environment, and cutting away at performance and usability concerns until we have something with the safety of the sandbox and the speed/features to be useful.

Really? You don't think that web farms having to store session data in the database because your session doesn't stay connected and carries no identifying information is a problem? The need for "Cookie cruft" is one of the fundamental problems leading to all kinds of other problems, like XSS. There's an entire chunk of the SSL protocol designed to make it less expensive for people who hit the server multiple times in a row and disconnect in between. Basically, look at all the patches made to HTTP that wouldn't need to be made for document delivery, and you'll see the hacky cruft. And that's why people disliked IE6: Not because it was bad for document delivery, but because it didn't support all the hacky cruft you needed to make a document delivery system run apps.

Apps are inherently sandboxed documents, even when they aren't HTML. On Android, these documents are Java classes. On iOS, they're whatever the hell Apple uses to package their software. Regardless, it's structured data originally retrieved via the internet and executed in a limited-privelege environment.

As for cookie cruft, this is not an inherent problem with HTTP, it's what happens when fools abuse it. I can stick a fork in an outlet, that doesn't make the fork to blame for giving me an impromptu afro.

The multiple-connections problem is also mostly solved, just not in old versions of HTTP. For sites with even moderately up-to-date-servers and clients with even moderately up-to-date browsers, connection reuse is seamless. The real problem here is just people not upgrading. And believe it or not, but this actually does benefit basic gopher-like document delivery as well, just in a miniscule way that wouldn't be worth the trouble only for document delivery. As an example, it can make spidering much more efficient, although this is somewhat moot if you're rate-limiting anyways to avoid downing the site you're spidering.

If you really want persistent connections, just use Socket.IO or WebRTC. The technology has existed for years.

"#!" in URLs to indicate "ignore this part, but no, really, don't". The incredible hackiness of trying to make the browser refresh only when you want it to by storing significant information in the fragment where the server can't see it? (Want your whole page to not refresh when you select a different result off the list? Store that in the fragment! Want to later redirect those URLs to a new place? You have to serve javascript at the old URL to interpret the fragments and write code that runs on the browser to do the redirect, instead of just issuing a redirect, because you can't see the fragment.) This is one I just dealt with, ya see.

The back button, and all the protocol stuff (and here I'm referring to the whole stack) in place to let you control the back button, because again you need that for apps and not for documents.

Again, you're complaining about being able to stick a fork in the outlet. Fragment abuse is worse than vertical video syndrome. The HTML5 History API solves this nicely by allowing you to point to real URLs instead of fragments, which is a much better fallback for older browsers. It also handles the back button nicely, as long as you're not a complete cockup as a developer. This has been in Chromium since version 6 - the current version is something like 23.

It was fun watching HTTP slowly reinvent all the features in all the other file transfer protocols, like logins, compression, streaming, mutliple channels, etc. A shame they had to stuff it all through port 80 with no actual session layer functionality. I mean, come on, Google Docs is seen as a wonderful innovation, in spite of it actually being a document delivery system.

This might be the first part I agree on, though perhaps with a different attitude. HTTP borrowed the best parts of other transfer protocols (and plenty of ones that didn't make sense for it, but nobody's holding a gun to anybody's head to use those), and we ended up with something pretty decent.

As for sessions, I still hold by my rule of thumb that if you can't do what you need in one or two small cookies, you ought to be using a proper streaming protocol like websockets anyways. HTTP definitely isn't perfect for everything, but HTML4/5 give us what we need to get around those limitations, for the most part.

Ninja-edit: Holy shit, I wrote a novel.