←back to thread

Apple declined to implement 16 Web APIs in Safari due to privacy concerns

(www.zdnet.com)
428 points coronadisaster | 7 comments | 29 Jun 20 10:16 UTC | HN request time: 3.309s | source | bottom
Show context
jamesgeck0 ◴[29 Jun 20 16:27 UTC] No.23679063[source]
> Web MIDI API - Allows websites to enumerate, manipulate and access MIDI devices.

This API is actually a bit horrifying from a security perspective. In addition to allowing you to use MIDI keyboards as input devices on websites, it also allows websites to send binary firmware updates to MIDI devices. The reason is that it's common to use custom firmware to backup/restore settings and enable neat effects and functionality on MIDI devices.

Mozilla's engineers have reasonably pointed out that an attacker utilizing Web MIDI could use MIDI devices as a stepping stone to launch an attack against the user's PC outside of the web sandbox. One such attack might be by reprogramming the device to appear as a standard USB computer keyboard and "typing" commands to the host.

At least one well known manufacturer has vouched for the technical safety of their musical instruments, noting that they're physically designed in such a way that the MIDI firmware can't alter USB firmware. But there's no way to know that every MIDI device has been similarly well designed.

As neat as Web MIDI is, I think Mozilla and Apple probably made the right security call here.

https://github.com/mozilla/standards-positions/issues/58

replies(11): >>23679155 #>>23679165 #>>23679283 #>>23679303 #>>23679633 #>>23680706 #>>23681158 #>>23681737 #>>23682770 #>>23683437 #>>23683855 #
1. seph-reed ◴[29 Jun 20 16:38 UTC] No.23679155[source]
Why not just limit allowed midi status to: Note On, Note Off, CC, Aftertouch, and Pitch Bend? Or maybe be readonly?

Is there a way to escalate that I'm not seeing? AFAI remember, all programming is done through status messages 11110000 and above.

https://www.midi.org/specifications-old/item/table-2-expande...

Full Disclosure: I made a web synth and really want to be able to use midi to play with it.

replies(5): >>23679258 #>>23680397 #>>23681452 #>>23682614 #>>23683678 #
2. anyfoo ◴[29 Jun 20 16:48 UTC] No.23679258[source]
Better yet, reasonably abstract the raw MIDI protocol away with something that has suitable security and privacy properties for the web, and translate it to MIDI on the host. In any case, the current proposal does not seem to cut it.
3. strbean ◴[29 Jun 20 18:10 UTC] No.23680397[source]
I don't see why the API should even allow enumerating devices. Put that behind a browser dialog. Webpages don't get to enumerate directories/files on your system - they pop up a file picker dialog. The same should happen with device selection. Once you've granted the site access to a device, it can ask you to associate a name with the handle, and provide whatever shiny device selection / device management UI it wants.
4. Jonnax ◴[29 Jun 20 19:24 UTC] No.23681452[source]
Yeah. It's crazy to me that they haven't decided to create some abstract virtual midi instrument. That you can instruct the browser to pass through to your devices.
5. lioeters ◴[29 Jun 20 20:37 UTC] No.23682614[source]
Exactly. Apple can choose to implement what they consider to be a safe interface for WebMIDI. Instead, they refuse all of it?

In my opinion, Apple has an incentive to keep the web crippled in some aspects, and this is just another symptom of that deeper underlying cause.

Well, I guess if I ever need WebMIDI features, I'll put a banner for Safari users to switch to Firefox.

(Or.. Maybe Firefox on iOS is forced to use the same engine as Safari..?)

6. danudey ◴[29 Jun 20 21:55 UTC] No.23683678[source]
I agree that it would be nice to have a limited amount of the Web MIDI spec, but bear in mind the staggering few people who actually have MIDI devices, and the even more staggering few of those people who want to use whatever website has midi support for its features.

To answer your question about why not to just limit the API: because that would be another data point to use to fingerprint users, and because the amount of engineering time that would have to go into Web MIDI support (including testing, security auditing, etc.) would never be worthwhile compared to putting those same developers on something that might be beneficial to vastly more users.

(Also note that Firefox made the same decision to implement nothing at all.)

replies(1): >>23691809 #
7. seph-reed ◴[30 Jun 20 16:31 UTC] No.23691809[source]
This is just a philosophical standpoint, but I think supporting the interests a small group of experimental pioneers is generally more useful than their numbers would imply.

The idea that "staggering few" is a negative disappoints, given it has almost always been the "staggering few" who've progressed humanity.