You may be minimizing the attack surface, but just because a web browser only supports HTML and CSS doesn't mean it couldn't contain exploits.
It's possible that the HTML parser or image rendering library has a bug and that malformed HTML could cause a vulnerability in the browser. Granted, I believe it would be significantly easier to harden parsers and graphic rendering, but it's already been shown that certain image rendering libraries have been exploited[1].
It's possible that the HTML parser or image rendering library has a bug and that malformed HTML could cause a vulnerability in the browser. Granted, I believe it would be significantly easier to harden parsers and graphic rendering, but it's already been shown that certain image rendering libraries have been exploited[1].
[1] Example: http://technet.microsoft.com/en-us/security/bulletin/ms08-02...