Xombrero Web Browser

👤 tarun basu • 📅 April 5, 2026 • 👁️ 36 views • 🔄 Updated May 21, 2026

browser listofbrowser webbrowser

## Overview | Field | Details | | --- | --- | | Name | xombrero (formerly *xxxterm*) | | Developer(s) | Initially by several OpenBSD users including Marco Peereboom; later others contributed | | Engine / Toolkit | Based on WebKit (GTK+) | | License | ISC (open source) | | Platform | Unix-like systems (notably OpenBSD), some ports to other Unix variants; uses GTK, so it was graphical | | Status | Discontinued / inactive | ## History & Evolution | Time / Period | Events / Developments | | --- | --- | | Feb 2010 | Project begins under the name **"xxxterm"** by OpenBSD users. The goal is to build a lightweight, secure, minimal browser to replace heavier browsers like Firefox. | | Early releases (xxxterm days) | Releases identified by CVS/revision numbers. Features include per-site control of cookies/JavaScript, secure defaults, minimal UI, and a vi-like (vim-style) keyboard interface. | | 2012 | The name changes from *xxxterm* → **xombrero**. Announced around version 1.11.2. Version numbering restarts from 1.0 after the rename. | | Mid-2010s (2012–2015) | Regular updates and bug fixes. Version 1.6.4 becomes one of the last stable releases. Popular among minimalism and keyboard-centric users. | | 2016–2017 | Issues arise due to dependency on older WebKit versions with security vulnerabilities. Porting to modern WebKit proves difficult. | | February 2017 | OpenBSD removes xombrero from its ports tree, signaling practical discontinuation. | | 2017 onward | Project becomes largely inactive. No major releases or active maintenance. FreeBSD FreshPorts marks it as deprecated. | ## Key Features & Philosophy Security-first defaults: control over JavaScript, cookies, plugins on a per-site basis. White-listing trusted domains. Minimal GUI: small bars (URL entry, status bar), optional UI elements, keyboard-oriented/vim-like commands. Emphasis on mouseless browsing. Plain text configuration files. Users can configure via the config file rather than GUI preference panels. No URL prefetching / limited prefetching by default (to avoid unintended privacy/security leakages). ## Reasons for Discontinuation / Decline **Security vulnerabilities**: Dependency on older WebKit versions which had known flaws. Porting to newer WebKit (with newer APIs and embedders) is non-trivial. **Maintenance burden**: Probably low number of active maintainers; difficulty keeping up with web compatibility (modern HTML5, JS engines, CSS) with minimal resources. **Removal from major ports trees**: e.g. OpenBSD removed it in Feb 2017. This reduces visibility and ease of installation for users. ## Version / Release Highlights While precise detailed contents for every release is scattered, here are some known version milestones: **xxxterm** versions (pre-2012), up to version 1.11.2 (which preceded rename) **Rename to xombrero**, version numbering restarted at 1.0 after that **Version 1.6.4** is one of the last stable releases (in or around 2015) that is still downloadable. ## Legacy & Community Reception Among users who wanted a browser that is **secure by default**, minimal, light weight, and keyboard friendly, xombrero was highly regarded. However, as websites got more complex (heavy JavaScript, dynamic content, modern CSS, video, etc.), xombrero lagged in compatibility and performance. Because of its discontinuation, users migrated to other minimalist or keyboard-focused browsers (e.g. *qutebrowser*, *surf*, etc.). **xombrero** (originally named **xxxterm**) was a free, open-source, minimalist web browser for Unix-like systems (Linux, \*BSD). It was designed from the ground up with two primary goals: **maximum security** and **keyboard-driven efficiency**. It was a descendant in the lineage of browsers like Uzbl and Surf, but with a much stronger emphasis on security features. The history of xombrero is a story of a developer’s uncompromising vision for a secure and minimal web experience, which ultimately led to the project’s end when maintaining that vision became unsustainable. ### 1. The Origins as xxxterm (c. 2009-2010) The project began under the name **xxxterm**. **Founder and Philosophy:** It was primarily the work of a developer known as **Grzegorz Głowiak (aka “gogo”)**. His philosophy was heavily influenced by the suckless and Unix movements but with a paramount focus on security. **Name Meaning:** The name “xxxterm” was a play on words, suggesting it was an “extreme” version of a web browser that felt as lightweight and controllable as a terminal (`xterm`). **Technical Foundation:** Like Surf, it was built using the **WebKit/GTK** stack, ensuring modern web compatibility. ### 2. Core Innovations and Design Principles From the start, xxxterm/xombrero was defined by a set of aggressive default security measures and a minimal interface. **Security-First Model:** **No JavaScript by Default:** Perhaps its most famous feature. JavaScript was disabled globally unless explicitly whitelisted on a per-site basis. **Strict Cookie Policies:** Cookies were session-only by default and required whitelisting to be persisted. **Disable Plugins:** Plugins like Flash were disabled by default. **Referrer Control:** It could be configured to never send a referrer, enhancing privacy. **Minimalist, Keyboard-Driven Interface:** It featured a very sparse GUI, with a slim start bar and status bar, but no traditional navigation buttons. It was controlled primarily through Vim-like keyboard shortcuts (e.g., `o` to open a URL, `t` for a new tab, `j`/`k` to scroll). **High Customizability:** Behavior was controlled through a configuration file (`~/.xombrero/config`), allowing users to fine-tune keybindings, security policies, and appearance. ### 3. The Rebranding to xombrero (2012) In 2012, the browser was renamed from **xxxterm** to **xombrero**. **Reason for Change:** The name “xxxterm” was often misunderstood and caused issues with search engine filtering and general perception, as it was easily associated with adult content (“XXX”). **New Name:** **Xombrero** is a portmanteau of “X” (as in the X Window System) and “sombrero” (Spanish for “hat”). The developer described it as a “big hat for the web,” possibly implying it was a protective covering for the user’s online activity. ### 4. Peak and Maintenance Mode (2013-2015) During this period, xombrero reached its peak of stability and feature-completeness. It gained a dedicated, if niche, following among: **Security-conscious users** and system administrators. **Vim enthusiasts** who appreciated its modal keybindings. **OpenBSD users**, as its security-centric design aligned perfectly with the OpenBSD philosophy. It was even added to the OpenBSD ports tree. The browser was considered “complete” by its developer—it did what it was designed to do, and development shifted from adding features to maintenance and bug fixes. ### 5. The End of Development (2016) The project was officially discontinued in early 2016. **Primary Reason: Maintenance Burden.** The core reason was the immense difficulty of keeping the internal **WebKit1** engine up-to-date. The web had moved to WebKit2 and Chromium’s Blink engine, which offered a more secure multi-process architecture. Maintaining the older, single-process WebKit1 fork—and patching its endless security vulnerabilities—became an unsustainable task for a single maintainer. **The Inevitable Conflict:** The very engine that made xombrero possible (WebKit) was also its downfall. Its security-first model could not compensate for the inherent vulnerabilities in an outdated rendering engine. **Official Statement:** The developer announced the end of the project, stating that the browser was no longer safe to use due to the unpatched security flaws in its WebKit foundation. ## Key Milestones Timeline | Date (Approx.) | Milestone | | --- | --- | | ~2009 | Project begins as **xxxterm**, founded by Grzegorz Głowiak. | | 2009–2012 | Active development establishes its core security and minimalism features. | | 2012 | Rebranded from **xxxterm** to **xombrero**. | | 2013–2015 | Peak usage and maintenance mode. Popular in niche security and BSD communities. | | Early 2016 | Project officially discontinued due to the unsustainability of maintaining WebKit1. | ## Legacy and Significance Despite its end, xombrero left a significant mark. **Apex of Secure-by-Default Browsing:** It represented one of the most aggressive and principled attempts to create a truly secure-by-default graphical browser. **Influence on Successors:** Its philosophy directly influenced later browsers. **qutebrowser**, for example, adopted a similar Vim-like model but uses the more maintainable Qt WebEngine (Chromium) backend, learning from xombrero’s fate. **A Cautionary Tale:** xombrero’s history is a classic case study in the open-source “maintainer burden,” especially for complex software like a web browser. It highlighted the critical importance of building on a sustainable, up-to-date foundation. In conclusion, xombrero was a brilliant, uncompromising project that served its niche perfectly. It was a browser that truly prioritized the user’s security and control, but it ultimately fell victim to the relentless pace and complexity of the modern web.