Comment by buran77
5 years ago
> The point (which I vehemently disagree with) is that prompting for permission is insufficient because illiterate users will just click accept on the dialogs.
I had 2 points actually, which I thought I made very legibly. I didn't think they they need a fourth reading but here we are... They are both solidly confirmed by present day reality. 1) is what you mentioned already. As seen with cookie prompts, app permissions, actual scientific studies, etc. if you pester people with alerts and popups they are desensitized and start ignoring and accepting them. 2) is that once you give a website permission you lost control. They lack even the modicum of oversight apps receive.
> So apparently we now have to restrict all interesting functionality
All? Hyperbole much? Or did you just decide that these 16 APIs are the crux of "interesting functionality" and freedom? It doesn't matter how much you allow there's always going to be someone to shout "they restricting eeeeverything around here". This is what security and privacy measures do, restrict some things because the benefit doesn't outweigh the cost/risk. All those features are sold as "essential" when in fact most of them at best address some minor nuisance. Then they're promptly hijacked for nefarious purposes because there's always going to be some wannabe coder who insists that his website needs to know my battery level for some (undoubtedly good) reason.
Care to ponder how we got here in the first place? With every piece of tech around trying to steal data from you one way or another, usually in a dishonest way? There's a reason Google is championing this and it's not that they want to give you "interesting features".
It's always a compromise and for the past decade+ we've been compromising a lot more on the privacy side. If you truly believe you can have both privacy and aaaaalll interesting functionality in the real world you're either naive or sitting on a gold mine.
>It doesn't matter how much you allow there's always going to be someone to shout "they restricting eeeeverything around here".
A good example here would be the MIDI interface getting blocked because it allows binary uploads via certain control message, as well as device enumeration.
If privacy is the main issue with this API, then the allowed control messages that the API would accept could be limited strictly to note on, note off, key velocity, etc.. things that have no realistic possibility of data leakage or compromise.
But instead, no, we lose the whole thing, even though a more nuanced approach (and in this case, one that's easy to implement - MIDI being rather straightforward) would satisfy any privacy concerns.
So with that in mind, the fact that a privacy-respecting alternative exists, no. I don't believe for a hot minute that that this is all about privacy - that is mere marketing fluff. I instead believe it is Apple is using privacy as a pretext for ensuring that PWAs remain as gimped second-class citizens on the platform in furtherance of their lock-in.
> have no possibility of data leakage
Oh if I had a penny for every time someone said with such certainty that "this is safe" only to be proven wrong sooner rather than later I'd have a second yacht :).
> I don't believe for a hot minute that that this is all about privacy
Of course it's not. It's about appealing to the customer base Google and the likes are losing by using an actually useful feature as a bridge to them. For the moment our interests align, whether by side effect or not. That's it.
But while you get your "first class interesting features" in apps, and second class shaky experience in the browser, what do I get for privacy? They're both already turning (turned?) to malignancy with too much of the code dedicated to actual data extraction. You have your apps, let others have their browser at least. That was the escape when you wanted to touch Facebook and Google Maps and no 10ft pole was around. If you think I'm unreasonable for wanting a last bastion of privacy (saying this is a bit of a stretch), just think that you're the one who insists everything should be how you want it by turning even the browser into the hot mess that apps already are. And this in exchange for some "interesting features" that you already have if you need them just not in every single piece of software.
You're ostensibly a coder so I don't need to point you to all the instances of trust being breached via conscious decisions. But surely this time they won't abuse that power. Neither will the host of obscure and completely unvetted websites one may access.
I don't think there's more to be said. It never ceases too amaze me how cheaply people are willing to sell their privacy for and how much they're willing to fight to make sure this is everybody else's only option.
How many browser exploits are you aware of that target the user's keyboard input directly? Because that's the level of complexity we're talking about here with MIDI. You only need to pass through what key was hit, for how long, and how hard, to have reasonable functionality.