Most active commenters
  • j-pb(9)
  • sitkack(3)

←back to thread

Apple declined to implement 16 Web APIs in Safari due to privacy concerns

(www.zdnet.com)
428 points coronadisaster | 17 comments | 29 Jun 20 10:16 UTC | HN request time: 0.001s | source | bottom
Show context
j-pb ◴[29 Jun 20 13:59 UTC] No.23677662[source]
So basically everything that would allow web apps to become capable enough to provide a viable alternative to their App store.

If they really cared about privacy they'd auto-generate their new privacy labels based on a websites api access pattern, and put them in an easy to access place.

They should also simply ask the user for permission if a privacy critical api is being accessed, same as we do with the microphone and gps. Or if they want to prevent users from being bothered, they could make them opt in as others have pointed out. So you have to manually go to the privacy label, and select the stuff you want to allow.

I'd love to be able to plug midi devices into my phone. Implement pwa games that use local bluetooth connections for gameplay with friends in the train. Or be able to access my 3d printer from my phone without having to release a ridiculous App store app.

replies(2): >>23677767 #>>23678183 #
girst ◴[29 Jun 20 14:12 UTC] No.23677767[source]
nearly all of those APIs are also considered 'harmful' by Mozilla[1]. Some have even been disabled after implementation because of this[2]. These were developed by Google for Chrome OS, and besides the privacy issues, they substantially increase attack surface for security vulnerabilities.

[1]: https://mozilla.github.io/standards-positions/

[2]: https://developer.mozilla.org/en-US/docs/Web/API/Battery_Sta...

replies(1): >>23677812 #
j-pb ◴[29 Jun 20 14:17 UTC] No.23677812[source]
Mozilla also killed WebSQL because the existing implementation was too mature...

I don't know what they're driven by, but it's not pragmatism.

replies(2): >>23677865 #>>23678381 #
1. sitkack ◴[29 Jun 20 15:18 UTC] No.23678381{3}[source]
There is too much opinion in your statement.

Mozilla opposed it, rightfully so, in that it would dictate that SQLite be the implementation used everywhere. Mandating the inclusion of SQLite is not a spec.

As much as I like SQLite and looked forward to it being in 2/3 of browsers, Mozilla made the right call. The web should be implementable entirely by the specification.

Google likes to define the spec as the identity function of the implementation. Popeye specs, "I yam what I yam and dats all that I yam".

replies(3): >>23678572 #>>23679440 #>>23681816 #
2. j-pb ◴[29 Jun 20 15:40 UTC] No.23678572[source]
WebSQL would have been a spec, could have been a living spec too. Start out with SQLite in all the major browsers, and then gradually have them diverge. Blink and Webkit started the same way. Independent implementation does not mean "implementation of uncommon history".

But somehow "paving the cowpaths" doesn't apply to tech that they don't find attractive.

Similarly, and that is actually a statement loaded with opinion, I've seen way to many self proclaimed "spec hackers" at mozilla. People who relish in the joy of writing out ideas, I mean who doesn't love building castles in the skys, but who completely ditch the implementation. It doesn't matter if you have the most beautiful spec in the world if the implementations are shoddy, or if it specifies the wrong thing.

Web specs are the modern hackers "waterfall" design process. Sure everybody talks a lot, and there are many pretty documents that come out of it. But once you start implementing the stuff, you start to realise that all your assumptions were wrong, and now you've made a mess.

I think specs actually produce less diverse implementations. Because they are so easy to write, in comparison to code, and because writing them doesn't give you immediate feedback on when you've reached a good minimal feature set, it's almost inevitable that you end up with way more stuff than you actually need. There is a reason that there are essentially only 2 Multitrillion dollar companies that can keep up with that mess. And mozilla would have died long ago if google wasn't keeping them alive to avoid anti-trust investigations.

In all fairness Living Specs try to acknowledge this, but somehow we still collectively pretend that they are more than mere documentation, that by calling them a "specification" instead of "documentation" they somehow make the web run.

Specs don't run the web. Code does.

replies(4): >>23679256 #>>23679275 #>>23679316 #>>23679433 #
3. jandrese ◴[29 Jun 20 16:48 UTC] No.23679256[source]
How would you migrate to a different SQL implementation? It would have to be 100% SQLite compatible in the early days because that's what all websites would expect. It makes migration nigh impossible.

That said, as long as the SQL implementation they choose is free and open source I'm not sure this is such a bad thing. I mean we are also stuck with Javascript in the browser and that hasn't been a total disaster. The whole point of standardization is to choose one particular solution and have everybody use it.

replies(1): >>23679997 #
4. acdha ◴[29 Jun 20 16:50 UTC] No.23679275[source]
> WebSQL would have been a spec, could have been a living spec too. Start out with SQLite in all the major browsers, and then gradually have them diverge. Blink and Webkit started the same way. Independent implementation does not mean "implementation of uncommon history".

You need to think about the barriers to implementation: if everyone ships SQLite, developers will inevitably write code which depends on that exact implementation and anyone shipping something new will need to copy it - including unintentional behavior and bugs – to work with existing sites. That is extremely expensive and might lock in something we’re going to regret later if someone finds a behavior which wasn’t intended for this context and has security or performance issues.

Anyone working on the web should be especially sensitive to this since we came close to having the specs for all web technologies be “whatever IE6 does”.

replies(2): >>23679692 #>>23680217 #
5. orf ◴[29 Jun 20 16:53 UTC] No.23679316[source]
> Start out with SQLite in all the major browsers, and then gradually have them diverge. Blink and Webkit started the same way. Independent implementation does not mean "implementation of uncommon history".

The point is that they would clearly never, ever diverge. Any sqlite quirks (of which there are plenty) would be enshrined into the backwards-compatibility requirements of any browser that used it. Plus building a database isn't simple - so why not just use sqlite? Setting out to fork or rewrite sqlite is not a task that makes any sense.

replies(1): >>23679969 #
6. sitkack ◴[29 Jun 20 17:02 UTC] No.23679433[source]
There is a lot to unpack in your post, but I get the gist.

You are free to use SQLite on Wasm, in your browser, you break no one and no one breaks you.

Wasm was designed well from a spec and community perspective, Google matured and Mozilla matured and in the end all the browser vendors go together and designed something that lots of folks can implement w/o multimillion dollar development efforts.

You know, I have written web apps that use SQLite and Lua running in the browser. They shouldn't be included inside the browser and nor should browser vendors have to worry about it.

replies(1): >>23680087 #
7. ◴[29 Jun 20 17:03 UTC] No.23679440[source]
8. GoblinSlayer ◴[29 Jun 20 17:20 UTC] No.23679692{3}[source]
Also SQLite wasn't designed to run untrusted SQL code. It's an embeddable SQL engine, not a web SQL engine.
replies(1): >>23680228 #
9. j-pb ◴[29 Jun 20 17:39 UTC] No.23679969{3}[source]
The exact same argument could have been made for Blink and WebKit, which didn't turn out to be true.
10. j-pb ◴[29 Jun 20 17:41 UTC] No.23679997{3}[source]
I think your second argument also applies to the first no? Any technology that is implemented in a major browser, be it JS, Webkit, SQLite has incentives to port it to other platforms. Web developers don't expect 100% compatibility, they are so used to things behaving differently and broken across browsers that it's actually surprising if something just works from time to time.

If anybody was expecting 100% compatibility all the time, we wouldn't get any new standards, and would all use chromium.

11. j-pb ◴[29 Jun 20 17:48 UTC] No.23680087{3}[source]
Well that's kind of a different argument. But one I can get well on board with.

We should kill JS, and EVERY WebSpec, except for WASM and WASI. Take the best parts of html and css and implement a virtual dom / immutable data driven document format for WASI.

Focus all our efforts on carving useful capabilities for WASI and end this web nightmare once and for all.

Not realistic, but a man can dream...

replies(1): >>23681891 #
12. j-pb ◴[29 Jun 20 17:57 UTC] No.23680217{3}[source]
How is that different from what we have now?

Living specs don't give any guarantees, yet they still "pave the cow paths" while keeping ridiculous bugs and behaviours for backwards compatibility, and breaking existing specs for convenience. It all depends on the person dealing with the problem.

Nobody expects compatibility with existing specs, why should they for WebSQL? Especially when it's a living standard.

If those things were true, we would all use the same browser by now and never see new standards, and Blink and Webkit would have never diverged from another.

Open source quarrels basically guarantee a steady supply of competing forks.

13. j-pb ◴[29 Jun 20 17:58 UTC] No.23680228{4}[source]
That doesn't make it any less of a solid foundation for a web SQl engine.

It's like getting gifted a car, and complaining that you'd rather have winter tires. So you start building one from raw metals.

14. Mikhail_Edoshin ◴[29 Jun 20 19:51 UTC] No.23681816[source]
I was under the impression that the "by specification" idea was generally tossed out with HTML 5, where the specification started to describe the current implementation. And this was cheered by everybody. What has changed?
replies(1): >>23682218 #
15. sitkack ◴[29 Jun 20 19:56 UTC] No.23681891{4}[source]
It is realistic and at some point, one of the browsers will be a shell that runs Wasm and browser updates will just be Wasm.
replies(1): >>23682610 #
16. bzbarsky ◴[29 Jun 20 20:16 UTC] No.23682218[source]
The specification describes what implementations should do to be interoperable. As opposed to what someone wishes implementations were doing but has no hope of convincing them to do, which was the major change with HTML 5.

But the fact that there are multiple implementations remains. and it remains a goal that one should be able to create a _new_ implementation by implementing the spec. Notably, this goal was not achievable with the pre-HTML-5 specification.

In the specific case of WebSQL, if someone were to actually create a specification for it that didn't boil down to "run this exact version of SQLite and pass things on to it", that would have allowed for the "possible to create an implementation from the spec" goal to be achieved. But no one ever stepped up to do that.

17. j-pb ◴[29 Jun 20 20:37 UTC] No.23682610{5}[source]
The birth and death of javascript