When people believe "they are product", bully Open Source developers for not following their demands and got expected response than entities appear that validate their wrongs for views (money).
Lunduke spreads misinformation. That's anti Open Source, anti community.
You can use Xephyr or Xnest to sandbox an untrusted or insecure application within its own X11 instance. This gives you the exact same kind of security property that Wayland happens to enforce out of the box for its clients, except that it need not apply to basic desktop components such as the window manager or the desktop panel. You don't even need Xlibre or anything, this stuff has been around for ages. It's not rocket surgery!
Xephyr or Xnest sandbox break screensharing, global shortkeys.
You've just confirmed obvious. No way to improve security without breaking changes. And you demand mostly nontechnical users to blacklist applications. That's a recipe for disaster.
> Once you enable XLibre namespaces filtering it breaks screensharing, global hotkeys. Obviously. It is breaking change.
Ah, the classic moving of goalposts.
I'll bite: It is far from impossible, and already solved elsewhere: Most applications do not need such functionality.
For those that do, provide mechanisms to request and facilitate access to such functionality when needed. Like portals do for other functionality. And a wrapper to request automatically for e.g. old binaries without source.
API is contract. API grants access to screen content, key presses. Users blame Wayland for breaking this contract. Both Wayland and XLibre namespaces brake it. Lunduke mob unable to reason, claims "moving goalposts". Lunduke mob claims improving security is not needed. Lunduke mod wants Linux desktop to be malware can. They claim security improvements for everyone (like defaults on Android) is corporations taking away their freedom. Lunduke mob unable to comprehend Wayland started by XOrg developers who knew X11 flaws. They unable to be thankful for people bringing security to modern expectations.
"Poland provoked occupation by Germany" (1939)? Germany "liberated Czechoslovakia Germans" by occupation and annexation (1938)? How occupation and annexation of neighbors ended for WW2 Germany (1938-1945)?
In 2014 Moscow invaded Ukraine, occupied Crimea, Donetsk, Luhanks. In 2022 Moscow invaded again. No NATO forces in Ukraine. No Moscow forces on NATO members territory. Trump officials unable to answer who started war, you blame NATO, both you and Trump aligned with Moscow.
Sounds reasonable enough to me. 99.99% of the times you’re in an actual script, if you mean to execute code, you’d just execute it yourself, rather than making a script tag full of code and sticking that tag into a random DOM element. That’s why the default wouldn’t honor the script tag and there’d be an “unsafe” method explicitly named as such to hint you that you’re doing something weird.
But it breaks an abstraction. Sometimes you just want to take working HTML and insert it into a document. It will be painful if suddenly this does not work, and you have to dig into the documentation to see why.
It is also painful when your app gets hacked, accounts get taken over and abused, user data is compromised, and so on. For serious sites it's worth the pain to turn on security enforcement features.
Ok, but be sure to make it optional. Putting 10 locks on your door is great for security, but it's not for everyone.
And instead of this security feature some might want to take a more fundamental look at security which might lead them to a completely different design. Again, make it optional.
If a developer so green that they don’t know what script injection risk is, and doesn’t know about innerHTML vs this method, stumbles into that scenario, I want them to encounter friction and have to dig into the documentation to find out why their script tag wasn’t run. Then they can start to learn how to do their job correctly. Having everything “just work” unsafely by default is not a viable best practice on the Web in 2025. Things have been slowly changing in this direction for at least a decade.
In fact, it’s better for the industry even if a few such individuals are so pained by having to learn about and handle security that they just quit web development entirely. Just like aspiring pilots who can’t stand checklists and safety rules should pursue a different career.
Molotov-Ribbentrop Pact — Moscow divided Poland with Germany (1939), invaded Finland (1939), occupied Baltic States (1940) — for two years of WW2 Moscow was Germany ally. After WW2 Moscow occupied half of Europe for 45 years, countries become free less than 50 years ago. Moscow made North Korea and China regimes, still supports dictatorship across the world, occupies and annexes neighbors.
Majority of Russian Federation population support occupation of Ukraine - independent polls at the start of open invasion. They would stop only when faced consequences.
Lunduke spreads misinformation. That's anti Open Source, anti community.