[HN Gopher] Permission.site
___________________________________________________________________
Permission.site
Author : valand
Score : 664 points
Date : 2021-03-26 03:29 UTC (19 hours ago)
(HTM) web link (permission.site)
(TXT) w3m dump (permission.site)
| walrus01 wrote:
| There is no way that 'pointer lock' should be something you can
| just click and get your pointer hijacked. You could label that
| button anything or make it any clickable element. Who the hell at
| web browser developers thought that was a good idea to implement?
|
| Why not have a "Do you want to allow this site to take control of
| your pointer?" prompt, same as when a site first wants to use
| your microphone or camera?
| capableweb wrote:
| I get a "$WEBSITE has control of your pointer. Press Esc to
| take back control" message in Firefox when that happens, and
| the message is pretty big and in your face. Does other popular
| browsers not have this message? Solves the problem in an
| elegant way.
| maddyboo wrote:
| Interestingly, in Firefox, if I trigger the Protocol Handler
| permission and then Pointer Lock, the Pointer Lock
| notification is hidden by the Protocol Handler bar. Seems
| like this could be abused.
|
| Screen recording:
|
| https://b-cdn.s3.maddison.io/99Q967Cnvz--
| 2021-03-26_02-58-20...
| yyx wrote:
| Maybe it's used for fullscreen games?
| walrus01 wrote:
| I'm sure it is, and works great for that, I just think it
| needs one more layer of user consent and understanding before
| it's turned on.
| tyingq wrote:
| I see it in emulators, like this one:
| https://www.pcjs.org/software/pcx86/sys/windows/3.10/
|
| (click one of the Windows apps once it boots)
| alpb wrote:
| I think lots of stuff like RDP extensions, or browser-based
| gaming (e.g. Stadia) are using it.
| kevingadd wrote:
| There are a ton of use cases that demand it, so it was added a
| long time ago (around the same time as Fullscreen, I think).
| The current user experience for it (opt-out instead of opt-in)
| has likewise been around for ages. I think I remember seeing an
| explicit permission prompt very early on but they got rid of
| it.
|
| "You could label that button anything" sadly applies to a
| significant number of dangerous things a website can do,
| pointer lock is not near the top of the list.
| cyberdummy wrote:
| I was surprised by this too, now have in firefox about:config
| dom.pointer-lock.enabled = false
| z3t4 wrote:
| There is this philosophical dilemma. Should your Stark-trek-
| inspired food-machine be able to load recipes from an URL, using
| a standard recipe-format, or should an URL on your computer
| device load an app that connects to the food-machine... ? eg.
| static web with different kinds of formats and devices - versus
| web-apps and API's
| [deleted]
| mkarliner wrote:
| Err, I'm getting no warning for screen share. Chrome on Android.
| abraham wrote:
| The Screen Capture API isn't supported on mobile Chrome.
|
| https://developer.mozilla.org/en-US/docs/Web/API/Screen_Capt...
| BelenusMordred wrote:
| Doesn't include motion sensors, I think there might be a few
| other recent additions also missing.
|
| Of all the sites on Earth that I could learn this existed in the
| browser, it was rolling stone, with some generic static article
| on something I can't even remember.
|
| Why exactly does a magazine need access to my gyroscope,
| magnetometer and acceleration sensors? Especially considering
| that I'm on a desktop that thankfully doesn't have such things.
| bhrgunatha wrote:
| My cynical guess is to help identify you to advertisers or
| something to sell to data brokers.
| kube-system wrote:
| Unless the page has some feature that obviously uses
| accelerometer features, it's 100% that, no cynicism
| necessary. This is a not-uncommon fingerprinting technique.
| cmg wrote:
| The magazine doesn't, but advertisers are interested in using
| this as yet another way of fingerprinting you:
| https://www.cs.cmu.edu/~anupamd/paper/NDSS2016.pdf [PDF
| warning]
| yread wrote:
| To see whether you're rolling?
| bchanudet wrote:
| In order to experiment with WebXR without having my Oculus
| continously on my head, I installed the WebXR emulator
| extension from Mozilla.
|
| I'm stunned how often I get the permission prompt on completely
| unrelated websites.
|
| I guess it allows tracking scripts to do even more
| fingerprinting.
| capableweb wrote:
| > I'm stunned how often I get the permission prompt on
| completely unrelated websites.
|
| I have the same problem and found that the embedded Vimeo
| player assumes all videos could be played in VR, although the
| video is a normal, flat video, so any webpage embedding a
| Vimeo video, prompts that permission notification for me,
| although the actual video could be on a different page but
| still initialized on page load.
| nakovet wrote:
| I would like to be able to take a screenshot of the user page
| (with their permission) using native APIs, that would be amazing
| for sharing content, bug reporting, etc. Google has a feedback
| tool that leverages html2canvas.
| dorianmariefr wrote:
| why not use html2canvas?
| abhiminator wrote:
| Absolutely blown away by the number of things you can do from a
| web browser these days. All of this would've been unimaginable a
| mere 10 years ago, right around the time when Google Chrome was
| in its infancy (or just out of it, to be precise) and the web
| browser market was still dominated by Internet Explorer, with
| Opera, Firefox and Safari (back when there was a Windows version
| of Safari) taking up small slices of the market share.
|
| Another cool site to check out: https://coveryourtracks.eff.org
| -- a great tool to see how unique your browser's 'fingerprint' is
| and how well it protects you from trackers and other annoyances
| online.
| etaioinshrdlu wrote:
| Year after year the web remains my favorite platform to use and
| develop for. No other platform comes even close to the
| compatibility, reach, staying power as the web. Here's to 100
| more years of the web (or something web-like in the future).
| JohnBooty wrote:
| I agree with you.
|
| But I'm afraid we're in its dying days, at least as far as
| the original ideals of the web were concerned.
|
| In our rush to make browsers more powerful application
| platforms rivaling operating systems themselves, we raised
| the bar so high that we ensured the web's destruction: by
| guaranteeing that it would eventually be effectively
| controlled by a single browser maker.
|
| In practice, this was probably _always_ going to be Google,
| but if it wasn 't Google it would simply have been some other
| Google-sized player.
| II2II wrote:
| I'm still trying to figure out whether these capabilities are a
| good thing or a bad thing. On the positive side, what can be
| done through a web browser is absolutely amazing and web
| browsers offer finer grained control over resource access than
| the typical desktop operating system. On the negative side,
| most of these capabilities have privacy and security risks that
| are disproportionate to their value in a medium that is
| primarily used for media consumption.
| pfundstein wrote:
| Screen sharing/recording was a new one for me when I saw this
| nifty site on an earlier HN post: https://gifcap.dev/
| abhiminator wrote:
| I found out about screen-sharing through browser when I
| started using Discord app on the web. Was a very revealing
| moment for me when it came to insane advances in web
| technology.
| cblconfederate wrote:
| I think it even predates discord, i think appear.in offered
| it many years ago
| dheera wrote:
| 10 years ago it would have been unimaginable, but 20 years ago
| you could have done all of this with ActiveX controls.
|
| (Oh and yeah 20 years ago I had AJAJ by just loading the target
| URL in a hidden/offscreen iframe and reading its contents
| programmatically. Never mind the fact that I could also read
| contents from the user's hard drives ... although I didn't use
| it for this)
| abhiminator wrote:
| Ah ActiveX -- a gold mine for malicious actors.
| AnIdiotOnTheNet wrote:
| You say that like the web hasn't been. Hell, even if
| everything always worked properly, there were not XSS
| attacks, and users weren't easily fooled, the web would
| _still_ be full of malicious actors in the form of tracking
| and advertisement.
|
| Remember, we invented pop-up blockers because advertisers
| abused it, and we've been in an arms race with those
| assholes ever since. Tracking and ads in _desktop apps_
| came from the web ecosystem and now we 're stuck with it.
| spookthesunset wrote:
| I don't think you can equate the two. ActiveX was barely
| sandboxed... in fact I'd like to say they were not
| sandboxed at all. They were native code running basically
| as root on your machine.
|
| It was something that came back when Microsoft was still
| convinced the internet would be a fad. Those activeX
| things could do all sorts of fun exciting things on your
| computer.
| AnIdiotOnTheNet wrote:
| Oh ActiveX was definitely worse, I should know since I
| was using the internet plenty when it was prominent. My
| point is, though, that malicious actors still basically
| control the web. They may not be executing native code
| without any controls, but that doesn't mean that the
| modern web isn't still their playground.
| dheera wrote:
| Oh yeah speaking of popups I once made a horrendous
| bouncing image script for IE 5.5 that allowed images to
| fly around your screen _outside_ the browser window.
|
| http://dynamicdrive.com/dynamicindex4/bounceimage2.htm
| tjoff wrote:
| And JavaScript is just as bad as ActiveX was. The only
| difference is that you are expected to have JavaScript turned
| on.
| JohnBooty wrote:
| There are many negative things that could correctly be said
| about Javascript.
|
| But this? This comment is _absolutely special._
|
| ActiveX controls were native code, with full system access
| by design. Possibly even worse, it was an absolutely
| blatant attempt by Microsoft to monopolize the web and
| maintain Windows' and Internet Explorer's dominance, as the
| controls were of course (in practice) intimately tied to IE
| on Windows on x86.
| tjoff wrote:
| Yet JavaScript is much more harmful than ActiveX ever
| was.
|
| Flash was an abonimation, yet you could disable it with
| barely any consequences. Same with ActiveX.
| spookthesunset wrote:
| Tons of business apps were written in ways that required
| activeX. It was one of the main reasons so many companies
| held on to ancient versions of IE.
|
| Sure you could disable activeX but in practice it would
| have been rare.
|
| People bitch that sites don't support people who disable
| JavaScript but it really isn't worth catering to that
| type of person. I've been in multiple shops where we had
| the debate about how to handle non-JavaScript clients and
| every single time all the developers agreed it wasn't
| worth the hassle.
|
| This includes companies who had blind developers using
| screen readers and companies that had major legal
| liability if the site wasn't accessible. The "screen
| readers don't support JavaScript" argument has been dead
| for years now. The only people without JavaScript are
| those who intentionally disable it.
|
| It's just not worth building what is almost a second
| website for incredibly tiny amount of non-JavaScript
| viewers out there.
| tjoff wrote:
| Yes, and that was for internal use on the intranet. And
| yes, it was a huge problem that they insisted on using
| such old versions of IE, but that was the issue - not
| ActiveX.
|
| Perhaps the question should have been, why make a special
| version for the ones with javascript?
| JohnBooty wrote:
| It was incredibly common to see Windows installs utterly
| compromised by ActiveX controls doing god-knows-what, to
| both the infected computer and every other computer on
| the corporate network.
|
| The damage to individuals and the economy in terms of
| lost productivity and compromised personal information
| directly attributable to ActiveX's "compromise my system
| _by design_ " nature is incalculable.
|
| To compare that to Javascript is rather spectacular.
|
| If you want to argue that Javascript has been able to
| wreak more damage over time precisely _because_ it 's not
| as objectively insane and immediately destructive as
| ActiveX, well fine. It could be said that Javascript is
| Covid-19 to ActiveX's ebolavirus. Ebola is so wantonly
| destructive that it kills many of its victims before they
| have a chance to infect others, whereas Covid's less-
| awful nature has actually allowed it to harm more people
| over time and is now probably here to stay, like
| influenza. Flash was an abonimation,
| yet you could disable it with barely any consequences.
| Same with ActiveX.
|
| This was very nearly not the case.
|
| IE/Win had close to 100% market share at one point. We
| were a hair's breadth away from a future where you could,
| in fact, not disable ActiveX without shutting yourself
| off from much of the web, like Javascript today.
|
| South Korea was actually there for a time. If you wanted
| to spend money online, various regulations meant running
| ActiveX was a requirement.
| tjoff wrote:
| Not that common. A bigger plague (though somewhat later
| if my memory seves me right) was toolbars that was
| sneaked into every other application.
|
| The power consumption alone of JavaScript easily shadows
| that. Pretty much no desktop computer in the world can go
| in lower sleep states because of javascript "idling" in
| the background. And a decent percentage of CPU cores are
| constantly pegged at 100%. Imagine the number of
| batteries that has prematurely died because of the stress
| of javascript - when all the user wanted was to read
| static text.
|
| Enabling ActiveX for your bank site is hardly the same.
| The real issue was running it on another OS than windows.
| Happily trade it for what we have today though.
| JohnBooty wrote:
| I miss the old internet too. But think about the way
| things were trending, and the way they have trended.
|
| Online commerce, content delivery, and advertising are
| what, multiple trillions of dollars' worth of business?
|
| Once the web/internet became established and began
| trending toward ubiquity, companies were clearly always
| going to invest a _lot_ into vying for our dollars and
| eyeballs. Without viable competition in the form of web
| standards, Javascript, and operating systems besides
| Windows it 's almost certain that the evolving web would
| have leaned into ActiveX and/or Flash and made them
| essentially a requirement in much the way that Javascript
| is currently a requirement today.
|
| The timeline we're living in is not ideal, and I really
| dislike Javascript for a number of reasons, but it's also
| one of the primary reasons we're not living in an even
| worse timeline.
|
| There was always going to be something like Facebook. Now
| imagine Facebook... except powered by ActiveX instead of
| Javascript. Apologies if you just vomited as violently as
| I did while typing that. But when you talk about gladly
| trading Javascript for ActiveX, that's the sort of
| absolutely ruined world you're pining for.
| dheera wrote:
| > South Korea was actually there for a time. If you
| wanted to spend money online, various regulations meant
| running ActiveX was a requirement.
|
| This playbook is happening again in China now. Not with
| ActiveX but with WeChat and AliPay. It's increasingly
| difficult to live there without either of the two apps
| and I think it does not bode well for the future for
| society to be reliant on two private corporation apps for
| basic needs, in the same way that it was not a good idea
| for the world to be dependent on ActiveX 20 years ago.
| danShumway wrote:
| Note that coveryourtracks will be biased towards people who are
| private. It's a good way of identifying information that you're
| leaking, but you'll also see stats like 1 in 11 users disabling
| Javascript, which is just not representative of most of the web
| -- 10% of users on most sites are not disabling JS.
|
| It's still very useful, but don't take every single number it
| reports as gospel. It's tracking how unique you are _among
| people who purposefully visit a fingerprint testing site_.
| CyberRabbi wrote:
| I casually browse with Js disabled. Everyone should. It's a
| security nightmare to casually surf the web with Js enabled
| once you realize the frequency of WebKit/blink zero days
| being disclosed per month. iOS watering hole attacks are
| especially prevalent, even if those exploits tend not to be
| persistent. They just need to steal all your info once.
| Exhibit A:
| https://www.bleepingcomputer.com/news/security/google-
| warns-...
| danShumway wrote:
| There are a lot of advantage to browsing casually with
| Javascript disabled, assuming you're OK with needing to
| manually fix some of the sites you visit. I browse that way
| myself as well; that's why I can see the results I see when
| I load up the tracking site. Side note that UMatrix is
| officially deprecated at this point, but it's still a great
| resource for disabling scripts globally and enabling them
| site-by-site as needed.
|
| But 1 in 11 people on the web are not disabling Javascript.
| catchmeifyoucan wrote:
| I just tried cover your tracks. What's blowing my mind are the
| "System Fonts" field. As a designer, I constantly download
| fonts, and it makes my browser extremely unique it seems.
| gsnedders wrote:
| This is why Safari only exposes pre-installed fonts that come
| with the system to web content; it removes what can be a very
| unique fingerprinting data point.
| cblconfederate wrote:
| I think it was very much imaginable but browser makers were/are
| in no hurry to have their precious app store ecosystems
| replaced by web apps.
| gfxgirl wrote:
| I'm so glad. I trust running whatsapp.com, messenger.com,
| slack.com, discord.com, bluejeans.com, zoom.com etc.. I do not
| trust installing the Whatsapp app, slack app, discord app, zoom
| app, or bluejeans app. In the browser I have control, native
| (at least on Windows) I don't. Those native apps, at least on
| windows, can basically do anything. Read my entire hard drive,
| scan my network, install a key logger, turn on my camera and
| mic, etc.... In the browser they can't
| tjoff wrote:
| Yeah, lucky you for running six(!) different messaging apps
| that you do do not trust.
|
| The future is just tragic.
| chronogram wrote:
| Indeed. They're sandboxed and you can alter the webapps in
| the browser. I mildly edit the CSS of most of the websites I
| frequently use over time with Stylus.
| VWWHFSfQ wrote:
| As long as those apps will run in my web browser, I'll run
| them there. I don't install any of their "native" apps..
| Although Google Meet is getting very difficult to run in
| Firefox. Crashes all the time.
| padenot wrote:
| Can you give us a couple of these crashes, that you can
| find in about:crashes (with the date sometimes its easy to
| find the right one) ?
|
| If you send a link to padenot@mozilla.com I can have a
| look, I'm on the media team at Mozilla (that includes
| WebRTC).
|
| Thanks!
| Teknoman117 wrote:
| Google meet crashing is interesting. I use it literally
| every day for meetings and I run Firefox as my primary
| browser (on Linux though, if that matters). I can't recall
| ever having a crash from it.
| skrtskrt wrote:
| Doesn't google meet not have a native app? We use Google
| Meet at work and using a browser to screen share a browser
| or IDE window seems to absolutely peg my CPU no matter
| which browser I use.
|
| I have no love for Zoom but at least they have a desktop
| app so I can screen share without bogging down my whole
| machine
| sneak wrote:
| I ran into the issue recently where Zoom's web client
| wouldn't display my camera's correct aspect ratio. Their
| full client (on a burner laptop, don't trust them) had a
| setting to fix it.
| lrem wrote:
| Works fine in my Firefox... And does Google even offer
| native PC apps any more? I work there and haven't heard of
| such a thing.
| rplnt wrote:
| Drive and Photos have native apps, for obvious reasons
| (sync).
| vplaunch wrote:
| They can't? There's a setting in Firefox "Block new requests
| asking to access your camera" that you have to enable
| explicitly.
|
| I'd rather have a browser that cannot access these things at
| all. Now I've to hope that the permissions work and the
| implementation is bug-free (my trust in that is quite low,
| browsers are too large).
| randallsquared wrote:
| If you don't select that setting, is the default to always
| allow, or ask every time? If the latter, then the setting
| is just a convenience for those who always expect to select
| "deny", rather than any broadening of permissions.
| toastal wrote:
| It's a shame Firefox just ditched the SSB project instead of
| fixing the bugs and making it visible for PWA use. They say
| it's because people weren't using it, but it was another
| thing that was hidden behind about:config and had some
| glaring bugs which two strong reasons why people probably
| weren't using or even know about it.
| mavhc wrote:
| whatsapp, messenger, slack and discord are all just electron,
| so almost identical anyway. Zoom has extra desktop features.
| Teams is has slightly more stuff on desktop, and it's
| electron.
| lokedhs wrote:
| Unless you're on Linux. Teams web application allows you to
| share individual windows, but this feature is now available
| in the application.
| gingerlime wrote:
| I wonder if it's possible to install an ad blocker, at least
| on the electron-based apps? and regain that control?
| input_sh wrote:
| CSS-based, no.
|
| But you can put your computer behind Pi-hole or add some of
| Pi-hole's lists to your hosts file, which would prevent
| them from communicating with tracking domains completely...
| unless they also bundle some sort of a proxy or a VPN.
| gingerlime wrote:
| Yeah, I'm already using nextdns, but not sure it's enough
| in some cases...
| pabs3 wrote:
| I'd much rather open source native apps than open source or
| proprietary web apps (or proprietary native apps).
| danenania wrote:
| It's true that installing a native app requires a lot of
| trust, but on the other side of the coin, it's not currently
| possible to do end-to-end encryption securely in a web app,
| and content in web apps is vulnerable to browser extensions
| with blanket permissions (there are many ubiquitous ones).
| Web apps also don't have access to the OS keychain or any
| ability to set file permissions, meaning they can't store
| local data securely without help from a server.
|
| So if you want real data privacy, you need a native app,
| despite the drawbacks you point out.
| dillondoyle wrote:
| You probably could with WASM? Totally create your own stack
| 100%.
|
| And there are already encrypted media streams but I don't
| know if that counts as E2E?
|
| A lot of these 'native' apps are just web browsers
| anyways...
| danenania wrote:
| The key difference is running a signed, static bundle of
| code (or binary), rather than a bunch of code that is
| loaded dynamically from a server on every request, which
| can be modified without leaving any trace.
|
| So running WASM wouldn't make any difference if you're
| relying on a server to deliver you that WASM on every
| request. A compromised (or subpoenaed) server could
| simply ship you a compromised WASM payload for a single
| request and you'd be extremely unlikely to ever find out.
| If Signal wanted to add a backdoor, otoh, they'd need to
| ship it as a signed update to all their users, with all
| the reputation risk that entails.
|
| Whether a native app is simply a browser underneath
| doesn't matter, just how the code gets delivered to the
| user. Even a browser extension or chrome app could work,
| since they are run from a signed, static bundle rather
| than from a server.
|
| Encrypted media streams seem like a DRM feature? I don't
| think they have any relevance to end-to-end encryption.
| 4gotunameagain wrote:
| It's so frustrating that they deliberately make shitty web
| apps in order to force you to install an app on your phone
| (e.g. reddit, instagram)
|
| It should be illegal imo
| rplnt wrote:
| I'm fairly certain Jira does this as well. At least the
| first step of making the web app deliberately shitty.
| nicoburns wrote:
| JIRA just has poor-quality engineering all round. Their
| native apps are just as bad.
| KptMarchewa wrote:
| At least reddit allows third party apps.
| krtkush wrote:
| I think the eventual limitations on 3rd party apps are
| coming. A major part of the community has used/ is using
| the superior 3rd party alternatives, and they need to
| figure out how to nullify those advantages. It is
| inevitable because they want that sweet advertisement
| money for which 3rd party apps are a barrier.
| malikNF wrote:
| Well how long before they tell us they are "a very
| different company" [1] and decide to pull the plug on 3rd
| party apps.
|
| [1]https://www.reddit.com/r/changelog/comments/6xfyfg/an_
| update...
| DavidPeiffer wrote:
| Facebook is the #1 offender in my opinion. I absolutely
| refuse to install any Facebook app. Back in the day, you
| could message people in the mobile browser without issue.
| Heck, it even loaded new messages without needing to
| refresh.
|
| Then they decided you should need the app to message
| people.
|
| Then they decided you should use a completely separate app
| to message people versus browse Facebook.
|
| Now I have to use mbasic.facebook.com to message people.
| The quality of the experience dropped _so much_ because,
| but I 'm glad they don't have access to my contacts, text
| messages, location, etc. They get enough info about me from
| other sources.
| soverance wrote:
| Yup, this exact timeline of degraded experience on
| Facebook led me to disable my account. I haven't
| reactivated it in over a year, and I'm happier for it.
| DavidPeiffer wrote:
| What kills me is I recall the mobile browser experience
| being better in the 2012 era than 2021. We've moved from
| alright 3G to widely available 4G with populous areas
| having 5G, and with home internet connections generally
| being much faster. The same website code could provide a
| much better experience simply from more bandwidth
| availability. Instead we've regressed because everything
| needs an app now.
|
| Some forum software allows the owners to create an app
| then prompts you to install their app. Not sure which it
| is, but it's super annoying.
|
| Over the last couple, reddit has significantly limited
| their mobile website utility, requiring login (like
| Instagram) and nagging you to download the app.
|
| Marketing metrics seem to have overcome usability in
| terms of relative importance. It's really frustrating to
| see what the movie computing environment has become.
| coding123 wrote:
| I asked my dad to send me a picture of his shed recently.
| He asked if I have WhatsApp. I reminded him I don't use
| any social media. And he said, uh, it's going to be very
| hard for me to figure out how to send it without
| WhatsApp..
|
| No shed picture. But no compromises here either.
|
| Also I find it totally hilarious that I'm 42 and I have
| never even seen WhatsApp's interface yet my 80 year old
| father is a social media expert in a lot of ways.
| Teknoman117 wrote:
| I've been mostly trying to get my friends and family onto
| Signal. I really want to ditch FB messenger.
| lima wrote:
| Slack, too. Slack has a perfectly good workspace sidebar in
| their web app, but they hide it unless you're on a
| Chromebook (where you can't install their native app).
| spockz wrote:
| Can you spoof the user agent to get it to show?
| lima wrote:
| Yes. There's a Chrome extension that does it and a couple
| user scripts: https://webapps.stackexchange.com/questions
| /144258/slacks-we...
| bierjunge wrote:
| Depends on your Chromebook, I have a Acer R13 and it's
| installed and running (just checked it). Android app's
| don't have a designated "runs on Chromebook" Flag as far
| I know, so you can't really block it.
|
| But Chromebooks are sometimes a little bit special. I'm
| working on a app right now which is designed for tablets
| and wanted to check if I could run it on my Chromebook,
| because of the bigger screen (13" compared to Samsung
| S5/S6 with ~10") and I couldn't install it from the alpha
| channel. The thing was, it has a camera, a front camera,
| but the Manifest.xml required the default camera
| permission which was missing and this prevented me from
| even finding the app in the PlayStore.
|
| And Slack as app is basically only the website. All the
| "native" apps seem to just render it (Linux, MacOs and
| Windows are Electron apps, the Android version feels like
| a WebView)
| jooize wrote:
| Does spoofing user agent help?
| brianzelip wrote:
| See everything google related.
| CyberRabbi wrote:
| Yeah I agree with the spirit of that. There should be a
| name for that practice, something that makes it sound as
| bad as it is but catchy. Maybe, something like
| webhostaging. Reddit's webapp on mobile is notorious for
| webhostaging you into downloading their native app. It's
| literally unusable.
|
| There should also be a name for ostensibly public social
| media sites that webhostage you into signing up. Instagram
| comes to mind.
|
| It's a reprehensible dark pattern.
| egeozcan wrote:
| Maybe webhijacking? Maybe I should purchase a domain and
| document it... Who knows, maybe it catches on and people
| start linking to it.
| CyberRabbi wrote:
| Yes there needs to be a single use site for this.
| Everyone is familiar with this , it just needs a catchy
| name so people on Twitter spread this and easily shame
| websites en masse for doing it. Webhijacking is too
| similar to webjacking IMO
| https://www.geeksforgeeks.org/web-jacking/
| egeozcan wrote:
| I knew it sounded familiar from somewhere, thanks! :)
| prox wrote:
| Webcrapp
|
| Has both web and app in it, and it says what it does.
| Could also be webcrapping as verb.
| CyberRabbi wrote:
| I think a verb-oriented word is more powerful at shaming
| than a noun-oriented word. I think Crap is a little too
| vulgar to appeal to most people, some might feel
| uncomfortable at work saying crap for Instance. But try
| it out!
| _Qeomash_ wrote:
| App + Oppression = Appression
| Y_Y wrote:
| "webhostaging" is a much catchier name than the other
| suggestions in sibling comments, I think, and more
| memorable because it sounds weird (a bit like
| "webhosting"?).
|
| It's so clever I think I'll start using it, and also
| telling people I came up with it by myself.
| CyberRabbi wrote:
| It does sound too Much like web hosting and in that sense
| it's a fail. Steal it all you want, I win if companies
| start feeling shame anyway.
| kubanczyk wrote:
| Appforcing?
|
| The industry term is "web-to-app conversion" by the way.
| CyberRabbi wrote:
| I like this suggestion, I think it needs to be more
| catchy and roll off the tongue a bit easier. Here are
| some other suggestions:
|
| Appholing Appstunting Nativebaiting
| dreamer7 wrote:
| I completely agree. MacOS, atleast since Catalina, has been
| seeking more specific permissions for apps which is good.
|
| One particular video conferencing software asked for
| permission to read key strokes from any process! A very weird
| request. The only non-nefarious use case I can think of is
| that they want to allow keyboard shortcuts to work even when
| their app isn't in the foreground.
| jefftk wrote:
| Another potential non-nefarious use case would be to make
| push to talk work when it's not in the foreground?
| dreamer7 wrote:
| That seems really problematic though. I could be on a
| text editor, or the terminal or anywhere else requiring
| text input and might not be expecting this behaviour.
| jefftk wrote:
| Sorry, I edited my comment not to say spacebar, since
| space clearly wouldn't work.
|
| On the other hand, you might be able to do it with some
| key or combination that is less commonly used?
| aleclarsoniv wrote:
| I don't get why Apple doesn't provide an API for
| registering global key bindings. All it needs is user
| permission for a binding to be registered, and some kind
| of preference pane that shows you an overview of
| registered bindings.
| LeonM wrote:
| Funny, this URL reliably crashed my tab in FF 86.0.1 on Linux
| (with Wayland). When trying to open the debugger console I
| suddenly got the annoying 'firefox has to update' page, that
| updated to 87.0, and now it works.
| penguin_booze wrote:
| It was unknown to me until last week that web browsers can now
| share screens--I mean the whole desktop! I had to do a webex
| session, and I assumed I needed either Chrome or some kind of
| native app to do screen share. But, to my pleasant surprise,
| webex worked well with Firefox!
|
| Also new to me is 'pointer locking'. I wonder/wish if/when
| browsers would be able to transparently pass key bindings that'd
| otherwise be captured by the OS, like Alt+Tab. Then, just by
| visiting a website, I could use, for example, Citrix desktop
| remote login through my browser as if it were a native app.
| tyingq wrote:
| There is a keyboard lock api, and you can capture Alt+Tab, but
| only when you're already in full-screen mode. Mostly Chrome
| only: https://caniuse.com/mdn-api_keyboard_lock
| soylentgraham wrote:
| Chrome remote desktop has quickly replaced teamviewer, vnc, ms
| remote desktop and osx screenshare for me, in one fell swoop!
| Most significantly for helping other developers (usually just
| to undo a git state :)
| aerique wrote:
| Yes, I'm going to be the guy that mention that this site does not
| do a thing with NoScript running.
|
| I'm always so happy with this addon and the first thing I install
| on a new machine.
| Jleagle wrote:
| Always wanted to use it but don't you just have to enable it on
| every site you visit anyway to make them function?
| aerique wrote:
| No, if you just need to read some text a lot of sites
| function with JavaScript disabled. Also, you can permanently
| enable sites, so often it is a one-time flip of the switch.
|
| I think (but never really researched and enabled it) you can
| also have it run in whitelist mode by default, so that you
| can disable JS for specific sites.
|
| Best to give it a try though.
| sanitycheck wrote:
| ...and after that first pass of enabling only what's needed
| to get a site to work sufficiently well, that site tends to
| be significantly more pleasant to use in future.
|
| I enabled JS for just eff.org, and coveryourtracks tells me
| I'm still spewing 17.12 bits of fingerprint all over the
| internet. I suppose it'd be possible for a browser to
| randomly rotate stuff like user-agent through multiple
| common values to mitigate that.
| avipars wrote:
| site seems to be run by google employees
| anonytrary wrote:
| Wow! The source code is extremely readable as well. This is great
| documentation. Bookmarking for sure.
| codykochmann wrote:
| I think so far the best setup Ive seen of this for browser
| restriction for a session is with running the browser in
| firejail. https://github.com/netblue30/firejail
| GeneticGenesis wrote:
| So many permissions, but meanwhile autoplaying video and audio is
| still hidden behind a horrible heuristic model in Chrome that
| fundamentally prioritises internet giants like YouTube, Netflix
| and alike.
| imwillofficial wrote:
| This is seriously cool. A great way to self audit browser
| security in a user friendly way.
| axaxs wrote:
| Cool site. I'm a bit annoyed that sites can seemingly overwrite
| your clipboard without confirmation, on Android at least!
| walrus01 wrote:
| Seems like a great method to social engineer people into
| copying to clipboard something that will install a trojan, get
| them to open a command prompt and paste it, in the general
| concept of curl piped into a shell.
| skzv wrote:
| No, it makes sense. "Copy this" buttons are common on websites,
| but probably require a button click to initiate. Since you
| clicked on a button, you provided the input necessary to copy
| to the clipboard.
| judge2020 wrote:
| Copying to the clipboard is unrestricted even without a
| click, but reading clipboard text requires a permission
| popup.
|
| https://web.dev/async-clipboard/#security-and-
| permissions:~:...
| kelnos wrote:
| Is it? When I click the "Write" button, it turns green, but
| when I click "Write (delayed)", after a while it turns red.
| So it seems (at least on Firefox 87) even the clipboard
| write API is restricted to user-action event handlers.
| axaxs wrote:
| This is exactly what I was thinking.
|
| Theoretically, a bad actor could have a site or even inject
| code onto a site with an innocuous looking bash command,
| but upon copy injects say, rm -rf ~ \n
| SilverRed wrote:
| The real bug is that \n pasted in to the terminal counts
| as hitting enter. iTerm has fixed this but every linux
| terminal I have used has this issue.
| shakna wrote:
| Every Linux terminal I've used has a pop-up when there's
| a new newline. Like this, which in this case is
| xfce4-terminal. [0]
|
| [0] https://i.imgur.com/ubCXASQ.png
| axaxs wrote:
| Gnome-terminal, probably the largest by user base, does
| not sadly.
| judge2020 wrote:
| Same for Windows Terminal:
|
| https://i.judge.sh/sentimental/Lotus/WindowsTerminal_fyi7
| k86...
| PowerBar wrote:
| Huh, I've never gotten a prompt like that in Terminator.
| vanviegen wrote:
| Is it still possible to paste into vim, for example? If
| so, how does the terminal make the distinction?
| judge2020 wrote:
| This can be done even without the clipboard API - See
| https://thejh.net/misc/website-terminal-copy-paste and
| further https://security.stackexchange.com/a/113630/96942
| kelnos wrote:
| Seems like this requires you to select some text (which
| includes some text that's been hidden using CSS tricks)
| and copy it. So it's not like the website can just
| arbitrary write to your clipboard without your
| interaction? (Still, this is kinda scary and I didn't
| know about this.)
| input_sh wrote:
| They can append the message to whatever you'll actually
| want to copy, which is how websites used to do things
| like this.
|
| - Copied from
| https://news.ycombinator.com/item?id=26590437
| axaxs wrote:
| Really interesting(and terrifying) reads, thank you.
| mrtksn wrote:
| It's also a privacy issue. Google's Firebase Dynamic links is
| using it non-maliciously to survive app installs for deep
| linking(when the app is not installed it helps you redirect the
| user to the correct screen after the install), however any
| webpage can actually put something on your clipboard and match
| you on an app by reading your clipboard.
|
| With iOS14 at least we can tell when apps are reading the
| clipboard.
| kristopolous wrote:
| Hey, sorry, I'm really dumb here. How would one use this?
| szhu wrote:
| It's a handy way for developers to compare the web permissions
| that different browsers support, and to be able to quickly see
| what the permission UI looks like.
| I_Byte wrote:
| It appears as though you click on each button and see what
| color the button turns. If the button turns red the site
| doesn't have the permission to do what the button says. If the
| button turns green then the site can do what the button says.
| jononomo wrote:
| I think his question is: what's the point?
| pfundstein wrote:
| Mostly as a tool for developers to test various permissions
| on various browsers
| hunter2_ wrote:
| I guess this rabbit hole continues if one asks what the
| point of such testing could be. One thing I'd find useful
| is that I could take screenshots (or live demo this site)
| if I was doing some non-web-development thing such as
| doing a presentation and wanted to explain WebAuthn flow
| or something.
|
| Because if I was a developer doing development, I'd test
| browsers with what I developed.
| leipert wrote:
| Or maybe you are a developer of that is using one of the
| features for the first time. Now you can check out the
| permission flow without having written any code. Similar
| to live examples in MDN.
| PurpleFoxy wrote:
| I found it interesting to see what happens on safari on iOS
| after each permission was requested. About 1/3 did nothing,
| a few of them were denied without a prompt, a few of them
| were as expected. And a few of them had weird prompts like
| the pan/tilt on asking for camera permission.
|
| Was also interesting to see webauthn ask if I wanted to
| allow a site to use faceid which I didn't know was even
| possible
| jackson1442 wrote:
| Yeah WebAuthn is really neat! Unfortunately many sites
| still don't think iOS supports it so I have to use my
| auth app instead of my YubiKey on those sites when on my
| phone.
| imafish wrote:
| Thank you. This explanation was helpful to me.
| RootKitBeerCat wrote:
| Async - clipboard: does this mean with a button press a site can
| copy what's in your memories "copy"/clipboard functionality?!
| abraham wrote:
| Yes, if the user grans the site permission.
|
| https://web.dev/async-clipboard/
| akvadrako wrote:
| No, it can only write to the clipboard, at least in Firefox.
| kijin wrote:
| The mouseover effect on the HTTP/HTTPS toggle is very annoying.
| It makes it hard to ascertain which mode you're actually in while
| the cursor is anywhere near it.
| spion wrote:
| I wonder if this is the default behavior from some UI toolkit
| or is it custom...
| kevingadd wrote:
| Yeah, I clicked that thing like 6 times before I understood.
|
| For the confused: Check the address bar, clicking it actually
| changes the URL of the site (to flip you into/out of secure
| mode)
| Andrew_nenakhov wrote:
| I still don't get it. Clicking the address bar or the switch
| toggle does nothing for me. Manually entering
| http://permission.site also doesn't help
| MauranKilom wrote:
| Do you maybe have HTTPS everywhere installed? Or is your
| browser maybe set to always choose HTTPS if possible?
|
| (The former applies to me, and clicking the toggle does
| nothing for me either.)
| soheil wrote:
| I had no idea you could screen share in JS.
| joshribakoff wrote:
| Can record to video too, sort of like logrocket
| kmeisthax wrote:
| Yup! Meeting apps need it.
| smaddock wrote:
| Desktop and window capture is included for all platforms as
| part of WebRTC.
| airstrike wrote:
| For some reason the regular popup works without asking for my
| permission, whereas the delayed one gets blocked by Firefox
| (86.0.1 on Windows 10)
| kristofferR wrote:
| That's intentional. Instant popups from clicks can have totally
| legitimate uses (like logging into sites like Disqus/Paypal etc
| on external sites).
|
| Delayed popups have very few, if any, legitimate uses.
| thomasfoster96 wrote:
| This will happen in most browsers (I'm on Safari 14, macOS
| 11.2). The popup-blockers in most browsers will allow a popup
| if it is opened directly because of user input, such as a
| button click -- a fairly simple measure which can be
| implemented by only allowing certain APIs to work within an
| event handler, for example.
|
| There are a few Web APIs which work this way -- for example,
| you can't make a page fullscreen unless you do so in response
| to user input/interaction [0].
|
| [0]: https://developer.mozilla.org/en-
| US/docs/Web/API/Element/req...
| wnevets wrote:
| Popups triggered by a user are considered trusted and are
| usually allowed
|
| https://developer.mozilla.org/en-US/docs/Web/API/Event/isTru...
| simonebrunozzi wrote:
| I might have discovered a Chrome bug.
|
| 1) Turn bluetooth off.
|
| 2) Click the "bluetooth" button, then deny it.
|
| 3) Chrome crashes.
| llacb47 wrote:
| What operating system?
| techrat wrote:
| I wonder if it's OS dependent. xUbuntu 20.04, Chrome 88 and
| Chromium 89, could not duplicate.
| dorianmariefr wrote:
| https://bugs.chromium.org/p/chromium/issues/entry ?
|
| They will probably fix it
| sloshnmosh wrote:
| Ha!
|
| Just by coincidence when I opened the site in Safari on iOS I got
| a pop-up message that my SIM card had sent a text message.
| egberts wrote:
| This is awesome. I used it to pre-configure all six web browsers'
| access permission (nearly all to deny mode).
| uploaderwin wrote:
| It's so sad that such amazing features are often abused more than
| they are actually used. It's always a cat and mouse game with the
| browser vendors and ad makers.
|
| Like web push notifications and popups are two really useful
| features but the amount of abuse they have had to endure is
| amazing. Every shitty site from newspapers to reddit to facebook
| must show a dark screen and ask me to subscribe to web
| notifications before i can see anything.
|
| Then there are hidden APIs for which no permission is needed,
| like trapping of the back button (where a site gains access to my
| browser's back button and won't let you go back) and page close
| button (where it shows a popup asking you to confirm you want to
| leave).
| Debug_Overload wrote:
| Blocking notifications by default made my browsing experience
| so much better. The amount of "allow notifications" bullshit on
| the Web is insane.
| postalrat wrote:
| You must be visiting some shady sites.
| Debug_Overload wrote:
| The trend of asking for notifications is not just limited
| to "shady" sites, however you define that.
| prox wrote:
| Well, in the case of news, they need to make money. If they
| can't show you ads, you are of zero value to them, only adding
| to costs (and I hate the practice just as much)
|
| What I want since forever is a tipjar that works well. I put a
| bit of credit into my tipjar. I read an article and at the
| halfway point it allows me to tip an amount. Should be
| anonymous if I want and a one or two clicks affair.
| jooize wrote:
| Push notifications in Safari just suck because the
| discoverability method is a dialogue box that interrupts and
| blocks all other user actions.
|
| The browser should never let a website interrupt unless allowed
| by the user. Place a bell icon in the address bar and make it
| translucently balloon up when triggered for visibility.
|
| Side note: Browser interface should stay outside the untrusted
| zone of web content. Whenever it can't, interface could have an
| unobtrusive unimitable background pattern extending from the
| trusted zone into the untrusted zone. The user should always
| know what is browser or website.
___________________________________________________________________
(page generated 2021-03-26 23:02 UTC)