I was hacked by IE (viruses on Windows), Firefox, and Chrome.
Few years ago, at revolution, Chrome told us about MITM attack and refused to connect to Google servers, while Firefox noticed nothing.
Few years later, attackers used my Chromium, which I used for work, to spy on my Firefox window, which I use for private browsing, by capturing of whole screen when Chromium sit unused. (I have it recorded on video).
All the problems with security seem to come from JavaScript exploits intrinsic to the engine, not any of the new features (misty because the new features are strictly typed and have the power of hindsight with modern design principles), so it’s not like new features are strictly an antigen to security.
> All the problems with security seem to come from JavaScript exploits intrinsic to the engine
Yes the classic memory-related bugs come from the engine, but the comment explicitely mentioned leaks and I don't think that was about the memory ones. Many of the new "features" turned out to leak sensitive or at least identification-enabling information. Imo having remote code execution without a big red warning that this is stupid and you should not do it that users can't click away without being forced to think about it just isn't a good idea, even if it is sandboxed. At the very least we should have a permission-based system where users need to authorize every single Javascript API, for every single connection/file/database/whatever and be unable to ignore it without disabling the APIs. That would imo be the best compromise since web-devs would be forced to think about what they are doing to users computers¹ while still allowing applications to be built.
¹ My hope being that they wouldn't include [bullshit fontend framework] except when absolutely necessary
I think you underestimate the number of users who would either blanket-approve everything or switch to a browser that doesn't nag so much. Most people care very little about their privacy online.
