The project looks very promising but relies on running a lot of javascript from untraceable sources in the browser.
Given the long history of vulnerabilities in the the browsers, trusting js from a well-known website might be OK, trusting js from zeronet is unreasonable.
If ZeroNet could run with js code generated only by the local daemon or without js it would be brilliant.
Chrome added a feature a long while back I really wanted for ages. The ability to specify the checksum of a linked asset, so that it can be verified as it's downloaded (and untrusted/discarded if not). I just can't find the docs for it. :( My Google-fu is not strong.
It's kind of a shame they didn't let their imagination fly with that one... I wish integrity were a global attribute, because I could totally see using it for things like images and audio/video.
This is why native clients (real native clients, not browsers-in-cans) are so important: they enable one to be more secure against targeted attacks, and they enable many eyes to review code and hence make one more secure against untargeted attacks.
Frankly, given much of the history of successful Internet tools & protocols, I'd love to see some text-UI clients for ZeroNet.
Given the long history of vulnerabilities in the the browsers, trusting js from a well-known website might be OK, trusting js from zeronet is unreasonable.
If ZeroNet could run with js code generated only by the local daemon or without js it would be brilliant.