Best viewed in Nordstjernen

Nordstjernen is an independent, legendary web browser

Innovations in the Nordstjernen web browser

Nordstjernen (“the North Star”) is a web browser written from scratch in C, built in Norway. It is a clean-room implementation — no Gecko, no WebKit, no Blink, nothing forked from an existing engine.

Where the rest of the industry has converged on three engines maintained by a handful of the largest companies on earth, Nordstjernen is small enough that a single human can read and audit it end to end: roughly 127,000 lines of C plus a thin C++/Qt shell. This article surveys what the browser does today, how it is built, the technical innovations that set it apart, and where it is going.

« Back to nordstjernen.org

Nordstjernen rendering a web page
Nordstjernen rendering a page. more screenshots »

Current features and architecture

Nordstjernen is a real browser, not a toy. It targets the HTML and CSS standards directly — behaviour is measured against the WHATWG/W3C spec text, section by section, rather than against another browser’s quirks. The reference standards are the WHATWG HTML Living Standard, the WHATWG DOM Standard, the WHATWG URL Standard, and the W3C CSS specifications (the current CSS Snapshot plus the individual modules — Cascade, Flexbox, Grid, Transforms). As of mid-2026 the section-by-section walk-through of the in-scope HTML standard records 136 spec rows fully implemented, 27 partial, and 4 absent.

Small by design

The single most important number in this whole document is the size of the source. Nordstjernen’s engine is about 120,000 lines of clean-room C (roughly 127,000 counting the thin C++/Qt shell). For comparison, the engines it competes with are cited at tens of millions of lines: Chromium is commonly estimated at around 35 million lines of code, and Firefox/Gecko at well over 20 million. Nordstjernen is therefore on the order of 200–300× smaller than either.

That is not a vanity metric. A codebase one person can read end to end in a few weeks is a codebase that can actually be audited, reasoned about, and kept honest. Tens of millions of lines cannot be — not by any individual, and arguably not by any single team. Small is the security property, the maintainability property, and the independence property all at once: it is the reason a browser like this can exist outside a giant corporation at all.

Engine stack. The pieces are deliberately small and vendored in-tree so there are no submodules and no surprise downloads:

Rendering and the UI shell. CSS cascade, flexbox, grid, transforms, gradients, and @keyframes are laid out and painted through GTK 4’s GSK renderer (a Qt 6 shell is also shipped). A minimalist presentation-MathML renderer puts equations inline on the text baseline. WebGL 1/2 is mapped onto OpenGL ES, opt-in per site and gated behind a trust prompt. An experimental WebGPU surface layers over external wgpu-native and stays off unless explicitly enabled.

Media, kept deliberately tiny. Exactly one video codec is built in — MPEG-1, decoded in pure portable C by the vendored single-file pl_mpeg. An .mpg/.mpeg/.m1v <video> plays inline, honouring autoplay/loop/muted/poster and click-to-play. Audio (MP2 via pl_mpeg, MP3 via minimp3) plays through a small unsandboxed helper over SDL2. Everything else — other codecs, streaming blob: sources — is handed to an external player. There is no media stack to maintain or to be exploited.

Process-per-tab isolation. Each tab’s engine runs in its own sandboxed nordstjernen-renderer process. The GTK/Qt application is a thin shell that blits the renderer’s shared-memory framebuffer and forwards input over an IPC control channel. A page that crashes — or is compromised — cannot take down the UI or reach its siblings. An optional --single-process mode trades the sandbox for footprint on low-memory machines and for debugging.

A local-only AI start page. The about:start new-tab page is a chat with a small language model running entirely on the user’s machine via llama.cpp — no cloud, no network at inference time. Models download once, integrity-checked against a pinned SHA-256 digest, with optional Vulkan or Metal GPU offload. This is the only AI in the product: there are no AI-style web APIs exposed to pages, by design.

Nordstjernen ships no telemetry of any kind, does not phone home, and does not run “studies” infrastructure.

Why C

Writing a new browser in C in 2026 looks contrarian, and it is a deliberate choice. The benefits the language buys here are concrete:

Modern C: the language kept evolving

C is not the language it was in 1999. The current standard, C23 (ISO/IEC 9899:2024), modernised it considerably, and Nordstjernen builds against contemporary GCC and Clang that implement it. The improvements that matter for safe, readable systems code include:

The takeaway: “written in C” no longer means “written in K&R C.” A modern C codebase gets static-analysis-friendly attributes, checked arithmetic, and stronger typing while keeping everything that makes C portable, fast, and auditable.

Development methodology

Nordstjernen is developed in a way that is itself part of the story.

Innovations

Ahead-of-time JavaScript compilation — speed without a JIT

The headline innovation is the AOT JavaScript compiler. Every production browser speeds up JavaScript with a just-in-time compiler that allocates writable memory at runtime, writes machine code into it, and flips it executable. That single capability is the substrate for an entire class of real-world browser exploits — JIT spraying, type-confusion → JIT — and it forces the sandbox to permit mprotect(PROT_EXEC), weakening it for everything else.

Nordstjernen moves code generation to build time. Its aotc tool reuses the real QuickJS front end to compile JavaScript to bytecode, proves a function lies in a safe numeric subset, and lowers that bytecode to C, which a trusted offline compiler turns into native code mapped from a read-only executable image. The analysis is sound by construction: the compiler emits native code only when it can prove the result is bit-for-bit identical to interpreting the function, and otherwise declines so the interpreter handles it. It can never change a program’s meaning — at worst a function simply is not accelerated. A 55-case self-check confirms AOT and interpreter agree across arithmetic, logic, loops, recursion, float math, and edge cases, and that out-of-subset programs fall back correctly.

The payoff: 3.8×–35× faster than the interpreter on numeric workloads — fib(28) retires 9.2M instructions versus the interpreter’s 1.06 billion — while the renderer never needs writable-executable memory at all. The seccomp sandbox keeps denying it. This is a genuinely different point in the design space: JIT-class speed on the workloads it can prove safe to accelerate, with none of a JIT’s attack surface. The accelerated subset is numeric today and widening; everything outside it runs interpreted, exactly as before.

Security: a landlocked renderer

Security is structural rather than bolted on. Each tab’s engine runs as an unprivileged child process behind an IPC and shared-memory boundary, and on Linux that process is landlocked — confined with both a seccomp system-call filter and the kernel’s Landlock LSM — so even a fully compromised renderer can touch almost nothing: no filesystem it was not explicitly granted, no sound device (audio is brokered out to a separate helper), and, thanks to the no-JIT design, no way to create executable memory. The untrusted page never launches external programs; only the trusted UI shell does. Combined with no telemetry and no auto-update pinger, the result is a browser whose threat surface is small enough to reason about.

Built clean-room by AI agents

Nordstjernen is, as a practical matter, a browser written largely by AI coding agents — Claude and Codex — working in long autonomous sessions against a human-defined product vision and a strict set of operating constraints. It is a concrete demonstration that a from-scratch, spec-conformant, cross-platform browser engine is now within reach of agentic development, when paired with disciplined methodology: small vendored dependencies, a self-auditable codebase, a spec-first conformance target, and the running browser as the verification oracle. The 127,000 lines are not inherited; they were written, here, deliberately.

A license that prevents harmful free-riding while allowing commercial use

Nordstjernen ships under the Nordstjernen Source License v1.0 (NSL-1.0), inspired by the Functional Source License. The intent is to be genuinely open and fair while preventing the one outcome that kills small open projects — a larger company taking the code wholesale and shipping a competing browser:

This combination — open and modifiable for almost everyone, protected against extractive free-riding, monetizable by agreement, and guaranteed to become MIT over time — is itself one of the project’s deliberate innovations.

And several quieter ones

The headline items above are not the whole list. A few smaller innovations matter in aggregate:

David vs Goliath: why the web needs more engines

It is worth stating plainly what Nordstjernen is up against. Essentially the entire web now renders on three engines: Blink (Google), WebKit (Apple), and Gecko (Mozilla, itself largely funded by Google). Blink and WebKit share a common ancestor, and Mozilla’s market share keeps shrinking, so in practice the web is increasingly one engine, controlled by one advertising company. When a browser engine is also the de-facto specification, “standards compliance” quietly becomes “whatever Chrome does.” A single vendor effectively decides what the web is.

That monoculture is fragile in three ways:

Nordstjernen is the contrary bet: that a from-scratch engine can still be built by a tiny team, precisely because it refuses the bloat — ~127,000 lines instead of tens of millions, no JIT, one video codec, no telemetry, auditable end to end by one person. The web does not need another Chromium skin; it needs a genuinely independent engine, and an independent engine is only credible if it is small enough to actually exist outside a trillion-dollar company. More alternatives are not a luxury here — they are the only thing that keeps the web a commons rather than a product.

Is it more secure than Chrome?

Honestly: in some structural ways yes, in overall battle-hardening not yet — and the two answers are not in tension.

Where Nordstjernen has the stronger design:

Where Chrome is, candidly, ahead today:

The fair conclusion: Nordstjernen’s threat model is smaller and easier to reason about, and it structurally eliminates the exploit class that produces most in-the-wild browser zero-days. That is a real and durable advantage. But “smaller attack surface” is not the same as “more hardened,” and the project does not claim to have out-engineered Google’s security organisation. It claims something narrower and more defensible: there is much less to attack, and the worst foothold — a JIT — is not there at all.

The exploit class Nordstjernen designs away: JIT CVEs in 2026

The argument is not abstract. Chrome shipped a string of V8 zero-days in 2026, several of them exploited in the wild before a patch existed, and the JIT compiler is squarely in the firing line:

Every one of these lives in the JIT/optimising-compiler machinery or the V8 type system that the JIT exists to exploit. A browser with no JIT does not get to be invulnerable — but it does get to be immune to this entire category, which in 2026 was the category doing the most damage.

Future work and the path to world dominance

The near-term roadmap follows the spec scoreboard: close the remaining partial and absent HTML rows, raise the web-platform-tests score on the highest-return areas, and broaden CSS and forms coverage until typical sites render indistinguishably from the incumbents. The AOT compiler’s proven-safe subset will widen beyond pure numerics toward strings, arrays, and object shapes, narrowing the remaining gap to a JIT without ever reintroducing one.

Reach is the other axis. Nordstjernen already runs on Windows, macOS, Linux, Android, FreeBSD, NetBSD, and the JVM, with both GTK and Qt shells and a C and Java embedding API. The strategy for broad adoption is the opposite of the incumbents’: instead of an ever-larger engine that only a megacorporation can maintain, Nordstjernen offers a browser small enough to understand — auditable, telemetry-free, JIT-free, and structurally sandboxed — as the rational default for anyone who actually cares what their browser is doing. Embeddability turns the engine into a building block for other software; the local-AI start page shows how assistance can be added without surrendering privacy; and the ten-year MIT conversion guarantees the work outlives any single steward.

The North Star is fixed: a fast, secure, minimal, self-auditable web browser that one person can hold in their head — and that, multiplied across everyone who wants exactly that, is the path to the top.

« Back to nordstjernen.org