←back to thread

Apple declined to implement 16 Web APIs in Safari due to privacy concerns

(www.zdnet.com)
428 points coronadisaster | 3 comments | 29 Jun 20 10:16 UTC | HN request time: 0.001s | source
Show context
jamesgeck0 ◴[29 Jun 20 16:27 UTC] No.23679063[source]
> Web MIDI API - Allows websites to enumerate, manipulate and access MIDI devices.

This API is actually a bit horrifying from a security perspective. In addition to allowing you to use MIDI keyboards as input devices on websites, it also allows websites to send binary firmware updates to MIDI devices. The reason is that it's common to use custom firmware to backup/restore settings and enable neat effects and functionality on MIDI devices.

Mozilla's engineers have reasonably pointed out that an attacker utilizing Web MIDI could use MIDI devices as a stepping stone to launch an attack against the user's PC outside of the web sandbox. One such attack might be by reprogramming the device to appear as a standard USB computer keyboard and "typing" commands to the host.

At least one well known manufacturer has vouched for the technical safety of their musical instruments, noting that they're physically designed in such a way that the MIDI firmware can't alter USB firmware. But there's no way to know that every MIDI device has been similarly well designed.

As neat as Web MIDI is, I think Mozilla and Apple probably made the right security call here.

https://github.com/mozilla/standards-positions/issues/58

replies(11): >>23679155 #>>23679165 #>>23679283 #>>23679303 #>>23679633 #>>23680706 #>>23681158 #>>23681737 #>>23682770 #>>23683437 #>>23683855 #
BiteCode_dev ◴[29 Jun 20 16:52 UTC] No.23679303[source]
Besides, I know they want to turn the browser into an os, but it's not one.

It's sandboxed from the os and limited to some use cases, which is the point. I don't want something capable of hot loading code from any web site to have the capabilities of my OS.

replies(4): >>23679788 #>>23680134 #>>23682636 #>>23683607 #
dheera ◴[29 Jun 20 17:52 UTC] No.23680134[source]
It's kind of sad though because it's still 10X easier to build a browser app than a native app simply because of the wealth of highly-usable stuff written for JS.

Every time I have to build a GUI in Linux I just build a webapp that connects to a TCP backend on localhost because that way I can just build a beautiful UI in HTML/JS/CSS and I don't have to deal with the mess that is GTK, QT, TCL, TK, and all that crap.

Android programming is another can of worms and I'm frankly fed up with Gradle updates breaking my project every update and needing 79+ files, multiple cludgy steps for signing APKs, zipalign (wtf) and other crap just for a Hello World.

What would be nice to have is "installable" apps that use the webkit rendering engine but have full access to the system including directly opening TCP ports and direct access to /dev. These would have to be trusted apps obviously. Websites that load code without consent should be restricted, of course.

replies(2): >>23681824 #>>23684558 #
1. Kaze404 ◴[29 Jun 20 23:15 UTC] No.23684558[source]
Why not just use GTK or Qt?
replies(1): >>23685546 #
2. dheera ◴[30 Jun 20 01:29 UTC] No.23685546[source]
GTK:

    import gi

    gi.require_version("Gtk", "3.0")
    from gi.repository import Gtk


    class MyWindow(Gtk.Window):
        def __init__(self):
            Gtk.Window.__init__(self, title="Hello World")

            self.button = Gtk.Button(label="Click Here")
            self.button.connect("clicked", self.on_button_clicked)
            self.add(self.button)

        def on_button_clicked(self, widget):
            print("Hello World")


    win = MyWindow()
    win.connect("destroy", Gtk.main_quit)
    win.show_all()
    Gtk.main()
HTML:

    <html><body>
      <button onclick="alert('Hello World')">Click Here</button>
    </body></html>
Now try implementing a swipe tab UI in GTK with animations and embedded video. In HTML you can probably import someone's awesome library .js file and be done with it in 5 minutes. Video is a snap. In GTK you have to deal with some idiotic factories, pipelines, sinks, faucets, and other god-knows-what abstractions. In HTML it's just <video>.
replies(1): >>23689452 #
3. Kaze404 ◴[30 Jun 20 12:47 UTC] No.23689452[source]
You could also use a glade file and only worry about functionality on the code itself. It's not too bad.