Xombrero Web Browser

Overview

Name: xombrero (formerly xxxterm)

Developer(s): Initially by several OpenBSD users including Marco Peereboom; later others contributed.

Engine / Toolkit: Based on WebKit (GTK+)

License: ISC (open source)

Platform: Unix-like systems (notably OpenBSD), some ports to other Unix variants; uses GTK, so it was graphical.

Status: Discontinued / inactive.

History & Evolution

Time / Period—>Events / Developments
Feb 2010 —>Project begins under the name “xxxterm” by OpenBSD users. The goal is to build a lightweight, secure, minimal browser to replace heavier browsers like Firefox.

Early releases (xxxterm days)—>Releases identified sometimes by CVS or revision numbers; features like controlling cookies/JS per-site, secure defaults, minimal UI, vi-like (vim-like) keyboard interface begin being part of its design.
2012 —>The name changes from xxxterm → xombrero. In one of the release announcements (version 1.11.2 under the old name), the change is revealed. After the rename, version numbering restarts from 1.0.

Mid-2010s (2012-2015) —>Regular updates, bug fixes. Version 1.6.4 is one of the last stable releases (around 2015). The browser continues being used especially among minimalism / keyboard-centric users.
2016-2017—>Problems begin to accumulate: primarily dependency on older WebKit versions which had security vulnerabilities. Porting to modern WebKit is difficult

February 2017, —>OpenBSD removes xombrero from its ports tree. This is a strong sign of practical discontinuation.
2017 onward—>The project is largely inactive. Some discussion among users, but no major new releases or active maintenance. The FreshPorts (FreeBSD ports) listing shows the port as deprecated.

Key Features & Philosophy

Security-first defaults: control over JavaScript, cookies, plugins on a per-site basis. White-listing trusted domains.

Plain text configuration files. Users can configure via the config file rather than GUI preference panels.

No URL prefetching / limited prefetching by default (to avoid unintended privacy/security leakages).

Reasons for Discontinuation / Decline

Security vulnerabilities: Dependency on older WebKit versions which had known flaws. Porting to newer WebKit (with newer APIs and embedders) is non-trivial.

Maintenance burden: Probably low number of active maintainers; difficulty keeping up with web compatibility (modern HTML5, JS engines, CSS) with minimal resources.

Removal from major ports trees: e.g. OpenBSD removed it in Feb 2017. This reduces visibility and ease of installation for users.

Version / Release Highlights

While precise detailed contents for every release is scattered, here are some known version milestones:

xxxterm versions (pre-2012), up to version 1.11.2 (which preceded rename)

Rename to xombrero, version numbering restarted at 1.0 after that

Version 1.6.4 is one of the last stable releases (in or around 2015) that is still downloadable.

Legacy & Community Reception

Among users who wanted a browser that is secure by default, minimal, light weight, and keyboard friendly, xombrero was highly regarded.

However, as websites got more complex (heavy JavaScript, dynamic content, modern CSS, video, etc.), xombrero lagged in compatibility and performance.

Because of its discontinuation, users migrated to other minimalist or keyboard-focused browsers (e.g. qutebrowser, surf, etc.).

xombrero (originally named xxxterm) was a free, open-source, minimalist web browser for Unix-like systems (Linux, *BSD). It was designed from the ground up with two primary goals: maximum security and keyboard-driven efficiency. It was a descendant in the lineage of browsers like Uzbl and Surf, but with a much stronger emphasis on security features.

The history of xombrero is a story of a developer’s uncompromising vision for a secure and minimal web experience, which ultimately led to the project’s end when maintaining that vision became unsustainable.

1. The Origins as xxxterm (c. 2009-2010)

The project began under the name xxxterm.

Founder and Philosophy: It was primarily the work of a developer known as Grzegorz Głowiak (aka “gogo”). His philosophy was heavily influenced by the suckless and Unix movements but with a paramount focus on security.

Name Meaning: The name “xxxterm” was a play on words, suggesting it was an “extreme” version of a web browser that felt as lightweight and controllable as a terminal (xterm).

Technical Foundation: Like Surf, it was built using the WebKit/GTK stack, ensuring modern web compatibility.

2. Core Innovations and Design Principles

From the start, xxxterm/xombrero was defined by a set of aggressive default security measures and a minimal interface.
Security-First Model:

No JavaScript by Default: Perhaps its most famous feature. JavaScript was disabled globally unless explicitly whitelisted on a per-site basis.

Strict Cookie Policies: Cookies were session-only by default and required whitelisting to be persisted.

Disable Plugins: Plugins like Flash were disabled by default.

Referrer Control: It could be configured to never send a referrer, enhancing privacy.

Minimalist, Keyboard-Driven Interface:

It featured a very sparse GUI, with a slim start bar and status bar, but no traditional navigation buttons.

It was controlled primarily through Vim-like keyboard shortcuts (e.g., o to open a URL, t for a new tab, j/k to scroll).

High Customizability: Behavior was controlled through a configuration file (~/.xombrero/config), allowing users to fine-tune keybindings, security policies, and appearance.

3. The Rebranding to xombrero (2012)

In 2012, the browser was renamed from xxxterm to xombrero.

Reason for Change: The name “xxxterm” was often misunderstood and caused issues with search engine filtering and general perception, as it was easily associated with adult content (“XXX”).

New Name: Xombrero is a portmanteau of “X” (as in the X Window System) and “sombrero” (Spanish for “hat”). The developer described it as a “big hat for the web,” possibly implying it was a protective covering for the user’s online activity.

4. Peak and Maintenance Mode (2013-2015)

During this period, xombrero reached its peak of stability and feature-completeness. It gained a dedicated, if niche, following among:

Security-conscious users and system administrators.

Vim enthusiasts who appreciated its modal keybindings.

OpenBSD users, as its security-centric design aligned perfectly with the OpenBSD philosophy. It was even added to the OpenBSD ports tree.

The browser was considered “complete” by its developer—it did what it was designed to do, and development shifted from adding features to maintenance and bug fixes.

5. The End of Development (2016)

The project was officially discontinued in early 2016.

Primary Reason: Maintenance Burden. The core reason was the immense difficulty of keeping the internal WebKit1 engine up-to-date. The web had moved to WebKit2 and Chromium’s Blink engine, which offered a more secure multi-process architecture. Maintaining the older, single-process WebKit1 fork—and patching its endless security vulnerabilities—became an unsustainable task for a single maintainer.

The Inevitable Conflict: The very engine that made xombrero possible (WebKit) was also its downfall. Its security-first model could not compensate for the inherent vulnerabilities in an outdated rendering engine.

Official Statement: The developer announced the end of the project, stating that the browser was no longer safe to use due to the unpatched security flaws in its WebKit foundation.

Key Milestones Timeline

Date (Approx.)—>Milestone
~2009 —>Project begins as xxxterm, founded by Grzegorz Głowiak.
2009-2012 —>Active development establishes its core security and minimalism features.
2012 —>Rebranded from xxxterm to xombrero.
2013-2015 —>Peak usage and maintenance mode. Popular in niche security and BSD communities.
Early 2016 —>Project officially discontinued due to the unsustainability of maintaining WebKit1.

Legacy and Significance

Despite its end, xombrero left a significant mark.

Apex of Secure-by-Default Browsing: It represented one of the most aggressive and principled attempts to create a truly secure-by-default graphical browser.

Influence on Successors: Its philosophy directly influenced later browsers. qutebrowser, for example, adopted a similar Vim-like model but uses the more maintainable Qt WebEngine (Chromium) backend, learning from xombrero’s fate.

A Cautionary Tale: xombrero’s history is a classic case study in the open-source “maintainer burden,” especially for complex software like a web browser. It highlighted the critical importance of building on a sustainable, up-to-date foundation.

In conclusion, xombrero was a brilliant, uncompromising project that served its niche perfectly. It was a browser that truly prioritized the user’s security and control, but it ultimately fell victim to the relentless pace and complexity of the modern web.