Comment by notepad0x90

From an engineering and architecture perspective, I'm seriously disappointed at web notifications. They get abused by malicious or spammy threat actors a lot. The abuse potential was obvious from the start. Why are such technologies still possible, even after we've learned lessons from email and other legacy tech over the past several decades?

For example, why can sites spam users with repeated push notification requests? why is there no active trust assessment and allow/block list maintained by browsers and OS vendors (yeah, they're a plague on win10/11 too)? It even makes sense to require an EV TLS cert for any push notification service. There are many ways to tackle this, but the naive way of just letting anyone set up a random site and start spamming people is so 90's/2010's. At least as a default, it should be very hard to be able to ask users to permit your push notification service.

I think part of the problem is that push notifications became a thing on mobile platforms, where apps are vetted by app stores. But random website don't undergo any vetting before they can start pushing notifications to browsers. Another issue is that people who are part of these design decisions are too far removed from regular people who don't even know what a push notification is, they just accept random prompts and get increasingly miserable over all the popups over time. It is also very easy to allow a push notification, but the UI/UX is difficult to audit/disable these. Perhaps having some button or option in the notification box to disable similar notifications would go a long way?

In a way, the web industry re-introduced the annoying pop-up windows of the early internet.