Comment by LegionMammal978
2 days ago
> According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling "push notifications," a cross-platform browser standard that allows websites to show pop-up messages which appear outside of the browser.
An elderly relative of mine was hit by this a couple years back: his computer's desktop was constantly being spammed with messages on startup, and there was no simple way to turn them all off. It turned out that they were all notifications from web workers that he'd inadvertently allowed at some point prior. (I set his browser to auto-deny notifications so it wouldn't happen again.)
The entire idea of push notifications on browsers was obviously toxic from the start, especially the privileged status "Do you want to enable notifications?" popups had.
I think the idea comes from the 2010's hype about Phone-Ifying The Desktop. Someone clearly thought they were recreating the Google Reader / RSS ecosystem (Mozilla had RSS in the browser in a flop)... but everyone else was just enthusiastic about dark patterns that were viable in mobile apps that didn't exist in a desktop browser.
I use this feature all the time and I love it. Not having to install dozens of apps just to see the occasional notification is a dream come true.
The way it's trivial for browsers to fake OS notifications on some platforms is a clear design flaw, though. I get the need for it (PWAs and such) but unless the website sending a notification is a PWA, there's no need for a notification to be that ambiguous.
The current system, where Chrome (the only browser that matters) collects information about websites and only shows the permission popup on some websites has mostly killed useful notification support for a lot of websites.
I can think of exactly two use cases for web browser push notifications:
- Web-based email
- Web-based chat
That’s it. Every other use case seems to be solving a “them” problem (how do we increase engagement?) and not a “me” problem.
Even if I wanted to hear about updates from a website (and I never do), I could sign up for emails. And If I don’t trust a website with my email, I certainly don’t trust them with sending me push notifications.
In fact, let me take chat apps off that list, because if I don’t have the webapp open in a browser window, the chat app should have the option to just email me about someone trying to message me (and ideally, letting the other party know I’m unavailable and letting them choose whether to send me the email.) So no, really just email and that’s it.
I’m super curious what your use cases are if you use web-based push notifications “all the time”.
4 replies →
I think notifications came about as part of Progressive Web Apps (PWA).
IMO random websites prompting to access your location data is far more problematic
The biggest problem there is that several browsers don't want to remember your response of "No" for more than one day. They want you to be constantly tracked. I'd like to be able to tell all browsers, never track my location or send me a notification from any website but that's not what they want. Orion by Kagi is a breath of fresh air in this department.
DocuSign tracks your location when you sign a document unless you disable it in the browser. Learned that a few years ago.
Its a progressive webapp feature and would be a necessary tool tobescape Apple and Google stores and hardwarw lockin. Like all tech, hindsight is 20/20 with malicious actors.
One of the first settings I change in any new browser is to forbid notification requests from all pages, and disable dom.beforeUnload (stops websites being able to prompt to confirm if I want to close the tab). Those functionalities are probably the most abused browser functionalities and definitely shouldn't be enabled by default (or if so only for a whitelist of sites).
How do you do this? I'm looking to do it for the clipboard API. Browsers should be able to block copy and paste.
In firefox: about:config -> dom.disable_beforeunload=true
For copy-paste: dom.event.clipboardevents.enabled=false I would guess.
A quick google shows this for FF (taken from a thread in StackOverflow):
> In Firefox you can completely disable beforeunload events by setting dom.disable_beforeunload to true in about:config. Extensions may be needed for other browsers.
A word of caution: I'm not 100% sure, but I wonder if some web collaboration tools might use this to ensure data has been synced with a server.
2 replies →
I have run into this. My notes: Google Chrome (Desktop & Android)
chrome://settings/content/notifications Or Settings > Privacy and security > Site settings > Notifications Under "Default behavior," select: Don’t allow sites to send notifications.
------------------
Mozilla Firefox (Desktop)
Settings > Privacy & Security Scroll to the "Permissions" section, find "Notifications," and click "Settings…"
At the bottom, check: Block new requests asking to allow notifications.
------------------
Microsoft Edge
Settings > Cookies and site permissions > Notifications Set the default to block all notification requests.
------------------
Safari (macOS)
Safari > Settings (or Preferences) > Websites tab > Notifications Untick: Allow websites to ask for permission to send notifications
------------------
Samsung Internet (Android)
Settings > Notifications > Allow or block sites
I honestly think desktop notifications in their current form are one of the worst features of the modern web. Sure it's nice to get an email alert but on my experience there's probably a thousand confused old people getting spammed for each person that intentionally enabled it.
What's worse is they look like native OS alerts (on Windows) so when one says "SECURYIRT ALERT!! CALL NOW" it's that much more effective at getting people on the phone with scammers.
So many sites ask for permission to send notifications that have zero reason to do so. Why would I want push notifications from a shopping or news site?
Honestly, push notifications from a news site arguably is one of the few sites that I see having a reason to send push notifications.
Communication platforms; messaging apps (Slack, Discord etc); email sites (gmail and co.) also make sense. Financial platforms (banks, Stripe etc)
Once you start getting out of these two categories, then yeah, it gets silly. No way should an airline website even be allowed to ask to send push notifications.
Google does have a way for Chrome users to not show the notification window (https://yespo.io/blog/google-chrome-will-now-block-abusive-b...) by default (https://support.google.com/webtools/answer/9799829?hl=en) but I really wish that this was flipped, so that Google would first need to approve sites to use notifications, similar to the Public Suffix List.
17 replies →
Same reason you subscribe to their newsletters. To get discounts.
I don't understand why people would want that, but neither do I understand the people who actually enter their email address in those "subscribe to my newsletter" popovers.
I wonder how many people's browsers get push notifications from Temu, or Amazon.
I feel like the web would be a better place if "allow notifications" popups were only allowed for PWAs the user already installed. I.e. they have to manually interact with the page and then click the prompt acknowledging they want to install the site as an application on their computer before the site can start popping up windows from the browser asking for notification permissions.
It's not that there are 0 use cases where it could possibly be convenient to get notifications from a plain site but, like you said with the email example, 95% of the legitimate use cases are probably better modeled as an app anyways.
What's "progressive" about installing software?
It's always saddened me that people failed to understand the web platform, and never more so than today when that platform could be on the verge of extinction.
Young people don't remember this: in the 1990s if a big corporation wanted to make a 1-line change to an application deployed to a fleet of desktops they'd have to update every single machine and to do so they'd probably have to hire at least 1 FTE and probably more for installer engineering and other makework.
With the web it is often
on the server and you're done!
As it is I can find web sites with search, links from other sites, bookmarks and history. If you "install" applications you just clutter up your desktop with 300 icons for applications you don't really use which makes it hard to find the 2-3 that you really use.
Instead of desktop notifications web apps should use pinned tabs and show a badge in the tab header.
That’s more a browser implementation issue though. Browser could offer that as a choice for how to handle notifications, on a per-website basis.
Elderly neighbor for me. Quite insipid; it took me a few minutes to realize that they were browser-based when I first got to the computer.
Advocacy for "progressive web apps" always fell flat to me. There are a few reasons, such as web workers being a Rube Goldberg machine when people just wanted the kind of facility to control caches and fetching that Netscape Netcaster had in 1997. It was predictable to me that the usage breakdown of push notification was going to be
and now people are just catching up to the obvious.