← Back to context

Comment by username223

2 days ago

> TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling “push notifications,”

Why is it even possible for hostile code (i.e. JavaScript) to send OS-level notifications? If clicking a link runs untrusted code with layers of legal insulation, that code should run in a very limited sandbox. It's crazy that we're turning the "Open Web" into an ever-expanding attack surface.

7 comments

username223

Reply
hakfoo  2 days ago

Because people turned browsers into an app platform and users wanted their webmail and chat services to have the same first-class features native clients had.

  • username223  2 days ago

    Who wanted their web browser to let hostile programs send notifications and access battery levels, unused fonts, etc.? Ad companies run the web standards bodies, so "people" (i.e. you and me) have to deal with this.

    • Xevion  2 days ago

      In all fairness, some of these things you've mentioned could be useful. If your battery is low, reprioritize the webapp's functions, lower requests, disable anything not necessary in the moment.

      Notifications are just another convenient thing that me and you use every day.

      Perhaps these things should be disabled by default, or requested upon being needed, but that's not really your argument it would seem.

      2 replies →

jeroenhd  1 day ago

Because it's very useful.

You don't call any OS level API from a website. The browser makes and shapes the notification for you. If the notification cannot be traced back to your browser, blame your browser vendor for their bad design.

That said, no amount of good browser design can protect a computer from people who don't know what they're doing. I recall a recent malware campaign where a similar mechanism was used, but instead of "click this button, go to site settings, click notifications, click allow", it'd show "copy this, hit windows+r, hit ctrl+v, then press enter to confirm you're human".

As computers continue to be dumbed down, I don't expect computer literacy to rise to a safe level any time soon. It's a matter of time before executing downloads from the internet becomes impossible.