Comment by user5994461
5 years ago
I don't want random web sites I open (and their ads) to ask permission to scan bluetooth in my area and use usb devices connected to my computer. A website has no business doing any of that. There is no justification for these API to exist.
I don't want _most_ websites doing this. There are some websites (especially PWA) where they are definitely useful and can replace a heavy client.
Maybe it shouldn't "asking for permission" but "giving your permission" explicitly. If you don't need such an API, you would never be bothered by it if the model is opt-in without notification/popups.
I understand the problem you have with websites asking for permissions, especially push notifications permissions, as they keep showing up. And I do definitely agree that having a website that does not need any of these permissions ask for it would be even more annoying but there are definitely cases where I'm glad a website can help me out (and I don't have to download a heavy client that might or might not have tracking and analytics in it)
>There are some websites (especially PWA) where they are definitely useful and can replace a heavy client.
How can this be so when the web browser itself is a heavy client?
Unless you only use one such website ever, then it's a win for the browser to be the heavy client instead of having separate ones for each.
You could argue that, however, I don't think it change the fact that you already have it installed. So, in my honest opinion, it is indeed replacing a second heavy client that you might have installed if you browser did not have this capability.
Why would you ever want a PWA when a native version exists?
And "heavy client" is a fallacy. Operating systems come with runtimes too. Very complex native app can be very small in size if it uses the native controls and APIs. They can be KB in size. Any asset is going to be bigger than the binary itself.
The web-as-native apps are the ones that are huge, because they embed a behemoth (a browser) which is akin to an entire operating system.
PWAs run from the browser sandbox which is generally much stricter than restrictions for native apps. Permission systems for native applications seems to be starting to follow browsers (flatpak, snap, .appx, etc.), but don't offer nearly the ability to restrict what a native app can do like the browser does.
In theory native apps are "trusted", but I think for the vast majority of users the trust between a companies website and app are equivalent, vetted the same, and probably do an equivalent amount of tracking if not more by the native app (facebook SDKs are pretty common in native mobile apps).
1 reply →
I already have a browser, and the PWA uses that.
> I don't want random web sites I open (and their ads) to ask permission to scan bluetooth in my area and use usb devices connected to my computer.
Why not? It makes complete sense for something like a website that backs up the photos stored on your camera. What's even the counter argument, that if people want to back up their data they should have to pay Apple?
If you've granted a website access to a restricted API, the browser can just paint a flashing red border around the website or whatever, similar to how people configure their terminals when they're SSH'd into prod.
I don't want random sites to ask to use anything on my computer. It's like a popup ad - it's annoying and blocks the site. Sure, there are legitimate use cases, but if it's anything like push notifications it will be heavily abused and far too many sites will ask for permissions.
Because every other site will start asking you to scan Bluetooth when some ad network starts using it to fingerprint you
I’m tired of websites asking if I want to enable push notifications from them. The answer is, and will always be, GTFO.
In most browsers, you can go into settings and default it to block without asking.
most sites use a html modal to ask for the permission, and if you answer yes they make the request to the browser api which shows his own modal.
I disagree. I want that. Therefore a website does have business asking for those things.
You (or a small minority of users) actively wanting it is not sufficient justification for creating APIs that will, with near-certainty, enable additional widespread surveillance and data gathering of the public by entities whose only interest is in profiting from that data, not better serving the public.
You're wrong. Therefore the developers' effort should not be wasted, and certainly not while exposing their users to privacy risks, exploits, and such other dangers as will inevitably arise when placing the capabilities to perform sensitive operations in software which also deals with untrusted input from the Internet.
This is definitely going to be downvoted.
Isn't App store apps (Not reserved to Apple's one, this also works for Google, Microsoft and many others) untrusted code too? It runs with even more privileges than your browser's code and have access to more fingerprinting information if that's what it is going to do.
As far as I see it, a PWA with these permissions has less privacy risks than a native application I can find on a store. I'd really like to understand how installing an app is not an issue but having the access from the browser is. Is it simply the permission framework that is broken and you don't trust it to not leak information when the API is disabled?
3 replies →
How can I be "wrong" about wanting these features? They're features that I want. I literally can't be wrong about that.
> capabilities to perform sensitive operations in software which also deals with untrusted input from the Internet.
But native apps don't deal with input coming from the internet? If that's what you think, you're... wrong.
8 replies →
Same argument could be made for JS in general. The justification for those APIs to exist is because developers want to implement features using them, same as with JS in general too.