HTML is capable of very specific, fixed functions. Sure, video is one of them. But video is not very interactive. You press play, and then you watch. Interactivity in plain HTML is very difficult.
> People are trained for certain behaviours and often don't want to change from that. On the other hand they like new shiney software and things to try out.
No no. People don't use these products because they were "trained" for it. The world of installed native applications existed before the web. The web took off because it's actually way better for many people. Not having to manage installing apps is awesome. Being able to access your data from multiple devices trivially is awesome. Not having to worry about backups is awesome. Being able to collaborate in real time is awesome. People don't just like this stuff because it's "shiney", they like it because it's really, genuinely useful.
> I could imagine markup-only webpages which can call locally installed programs to appear in the tab, but the prorams are installed in trusted ways.
That would actually be way less secure, because those locally-installed programs are almost certainly not security reviewed to the extent that the JavaScript sandbox is. They are far more likely to have exploitable bugs than your JavaScript sandbox. It doesn't matter that you "trust" them.
In practice, the vast majority of programmers do not know how to write secure code. We can't realistically fix that. The answer is to give them programming environments where they can't get it wrong, or at least they can only hurt their own app. We accomplish that with sandboxing.
Starting and stopping a video is an interactive action. Even a drop down menu is interactive. Arbitrary interactivity may not be possible, but I think that is totally acceptable for what we are talking about: remotly delivered, unaccounted, unreviewed and directly and automatically executed code.
That the local and native programs are not as good as the browser-based abominations is no argument for that technology; there are reasons for the businesses to choose this way despite (or because) how bad it is for users.
Code that comes for example from a distribution is signed and maintained by someone I can easily identify. It is looked at by more than the author. I can track the path of the code backwards, if something nefarious happens. That justifies trust in that code.
The comparison of that code with the JavaScript sandbox is invalid, it's to be compared with the delivered JavaScript. There is no reason why even trustably delivered code shouldn't be sandboxed. The comparison of that sandbox with the JavaScript sandbox would be apt.
I agree that sandboxing is important, even for local programs.
OK, I'm glad we agree that native apps ought to be sandboxed too. Unfortunately no major desktop OS does a good job of this yet, which is why, realistically, today, choosing web apps over native apps actually makes your system more secure. Maybe that wouldn't be true in an ideal world where desktop apps were sandboxed as heavily as web apps.
But you're still in denial about the fact that web app delivery is hugely valuable to a lot of people (yes, to users). This isn't even remotely debatable. SaaS is now a $100B/yr industry and growing rapidly. People wouldn't be rapidly replacing locally-installed apps with SaaS if they didn't really want it.
You really can't just proclaim that everyone should give all that up based on your ideology about how software "should" be delivered.
I think we don't contradict each other necessarily. JavaScript applications not delivered by websites but through the package manager would be okay for me. We would have the sandbox on one side and the accounting and responsibility on the other side. After all, even the JavaScript sandbox (FireFox) itself is delivered how I think software should be delivered.
The size of the market is no argument. Supply drives demand.
I don't simply proclaim how things should be done. I point out problems, criticize the status quo based on sound facts, and point to better solutions. What else do you suggest?
There's no shortage of supply of desktop apps, yet web apps are gaining ground rapidly. This indicates that people prefer web apps for some reason.
> What else do you suggest?
Build it. If you truly have a solution that is better for users, then you can make a lot of money if you bring it to market. Then you not only prove you were right, but you make the world a better place and get rich in the process. :)
But somehow you're going to need to make desktop apps significantly better than they are today. You won't win by telling users that their preferences are wrong, you win by giving them something better.
With labels, hidden checkboxes/radio buttons, and some awkward CSS you can make no-javascript collapsible/expandable content, tabs, user-changable colour themes, and other horrible abuses of pure HTML+CSS. With :hover and transitions, you might even be able to make something turing-complete that runs automatically as long as the user's cursor is somewhere over the page! (last time I tried, a box that moved away from the mouse on hover, then automatically returned because it was no longer under it did not move endlessly unless there was an animation/transition on the movement. Could you have a clever way to send signals up the DOM heirarchy by altering the presence/absence of scrollbars or forcing a div to be wider, changing how elements layout with respect to cursor position?).
In those cases, it's certainly easier to use javascript, though.
HTML is capable of very specific, fixed functions. Sure, video is one of them. But video is not very interactive. You press play, and then you watch. Interactivity in plain HTML is very difficult.
> People are trained for certain behaviours and often don't want to change from that. On the other hand they like new shiney software and things to try out.
No no. People don't use these products because they were "trained" for it. The world of installed native applications existed before the web. The web took off because it's actually way better for many people. Not having to manage installing apps is awesome. Being able to access your data from multiple devices trivially is awesome. Not having to worry about backups is awesome. Being able to collaborate in real time is awesome. People don't just like this stuff because it's "shiney", they like it because it's really, genuinely useful.
> I could imagine markup-only webpages which can call locally installed programs to appear in the tab, but the prorams are installed in trusted ways.
That would actually be way less secure, because those locally-installed programs are almost certainly not security reviewed to the extent that the JavaScript sandbox is. They are far more likely to have exploitable bugs than your JavaScript sandbox. It doesn't matter that you "trust" them.
In practice, the vast majority of programmers do not know how to write secure code. We can't realistically fix that. The answer is to give them programming environments where they can't get it wrong, or at least they can only hurt their own app. We accomplish that with sandboxing.