What you're actually seeing is people who want Chrome to control the web and expect all other browsers to blindly follow whatever features they add to suit their business model.
I don't think this is true. Safari has terrible audio and video support, including for WebRTC. The reason is clear: they want people to use apps instead of webpages.
And that would be a conspiracy theory. I wouldn’t make such assumptions about why Safari goes in one way or another. Priorities, patents, security, privacy, marketing… there’s all kinds of motivations that drive a team.
So much this. Most of the new "features" Google keeps introducing and expressing irritation aren't supported in Safari offer significant privacy risk and dubious real world benefit.
I ran into issues needing OffscreenCanvas [1] recently. What privacy issues would that present? We were creating real world benefit with it and had to do some major over-architecting to get around it not working.
I would like to say, Firefox doesn't support it either.
Much of the Chrome-introduced API surfaces which aren't supported in Safari tend to be about direct access to hardware. WebUSB, WebSerial, Bluetooth API, WebXR API, etc. etc. etc.
I would generally consider the introduction of these APIs to be hostile to average users: Each one adds a new fingerprinting vector, an extremely easy malware vector, and the protections Chrome team and standards folks have designated are woefully inadequate: Average users accept basically anything, and nobody on the Chrome development team has learned that yet.
They don't introduce a fingerprinting risk if there's no permanent acceptance, only session based acceptance locked to the origin domain. And you're bashing WebXR? Without WebXR, we couldn't even have VR/AR displays work on the Web. The lack of WebXR would be hostile to any user who owns a VR headset these days.
So what, you want VR/AR to be centralized to app stores only, or to a Facebook metaverse? Because that's what's going to happen if there's no way to author and host your own VR software.
And most of the fingerprinting risk being used in the field hasn't even come from these newer APIs, but from much older APIs which surfaced versioning information or HW specific limits, or rasterization differences, without requiring any permission dialog. For example, canvas fingerprinting. Even plain old CSS could be used to detect previously visited links by styling a button and measuring it (before the bug was fixed) None of those were behind any kind of permisson dialog or container.
Can you provide an example of some ad network using WebUSB or WebSerial or Bluetooth in the wild?
> And you're bashing WebXR? Without WebXR, we couldn't even have VR/AR displays work on the Web. The lack of WebXR would be hostile to any user who owns a VR headset these days.
So, this is actually a huge part of my point, thanks for bringing it up. Nobody has a VR headset. I actually do have a very expensive VR headset, and it's sat in the box for a few years since I initially played with it. There was a craze three years back where everyone got one of those stupid Cardboards or a knockoff of it for Christmas, everyone hated it, and Google doesn't even support them anymore. I think Dell sent me one to promote one of their product lines once.
The problem here is Googlers have a completely unrealistic worldview, where stuff like having VR/AR displays work is something anyone actually cares about today. Go to a senior living complex, sit down with someone who is not in the tech industry, and see if you can help them figure out how to clean all the notifications permissions and sleezy browser extensions out of their Chrome install. Tonight I'm stopping by my parents' because my mother thinks a pinned site on her new tab page is something installed on her PC, and she wants it gone.
There are real world things Google could do to make their web browser help real human beings, but piling in new hardware APIs and then complaining other browser vendors aren't doing the same isn't what that looks like.
You should not be compromising your browser's core surface for something that at best applies to 1% of the population. Maybe these APIs have a use... as a separately installable plugin to add the functionality to the browser for the extremely niche crowd that needs them. This is true of connecting your serial device or your MIDI music interface to your browser too: It's just not something that belongs in a standard web browser toolset, and it's yet another thing I have to shut off to keep people safe on the web.
Atleast 2 million Oculus Quests have been sold. And if no one has these devices, then WebXR is mostly useless for fingerprinting anyway.
> I actually do have a very expensive VR headset, and it's sat in the box for a few years since I initially played with it.
Goody for you. I have a Switch, Playstation, and Xbox that mostly sit rusting on the shelf as I mostly play PC games with mouse/keyboard. So therefore, my anecdote transfers to everyone?
> The problem here is Googlers have a completely unrealistic worldview
No, the problem here is, you have a derangement syndrome around Google. You rarely mention Facebook for example. Every company is working on AR/VR. Facebook, Microsoft, and Mozilla contributed major parts of the spec, but I'd say Facebook cares way more about VR these days than Google and they are betting the future of their company on it.
> It's just not something that belongs in a standard web browser toolset, and it's yet another thing I have to shut off to keep people safe on the web.
Maybe you have a point with MIDI, but musicians would probably disagree, but USB devices are ubiquitous, and VR/AR will be in the tens of millions of users within a few years, 6.1 million units predicted to be shipped this year, that's an exponential gain. And we all know that once Apple ships AR glasses, it'll explode further.
The real irony of your post is, if Facebook succeeds, Oculus will own a majority of the market, and they will control VR browsing in a Chrome fork (Oculus Browser), so they will put whatever APIs they wish into it, and Google nor Mozilla's opinion won't matter.
And if VR/AR becomes way more popular, which it seems poised to do, the fact that Chrome is 'safe' won't matter very much, and Google and Firefox will both end up implementing whatever Facebook wants to make it into their app store.
> Go to a senior living complex, sit down with someone who is not in the tech industry, and see if you can help them figure out how to clean all the notifications permissions and sleezy browser extensions out of their Chrome install.
How about you check their iPhones for how many recurring subscriptions they've been tricked into buying "1 month free", and forgot to cancel. I regularly find these on ordinary people's phones. They install apps, start a 1-month trial, and end up paying $5-10/mo zombie subscriptions for a long time before they notice.
But hey, notification permissions are the real problem, not their bank account being drained.
We have decades of experience about how this works in the real world. Which is that most people will blindly click whatever button is there in order to get the site to work.
For features which compromise privacy or security it’s not an acceptable approach.
That's a non-issue. If fingerprinting is your concern, people aren't going to blindly tap through 3-5 "allow ____ access to your device" dialogues before they get the hint. If it is dangerous, then Apple could issue a warning in the notification explicitly telling people that it could compromise their browsing.
WebRTC and WebMs don't compromise security anyways. Apple just reaches into their bag of canned excuses and happened to pull out "security" this time.
> Which features are you thinking about that would present a privacy risk?
From this week?
>Since most of us keep our phones in our pocket or on our person, there is a lot of motion data generated on the device throughout the day. Google Chrome, by design, allows any website you click on to request that motion data, and hands it over with gusto. Researchers have found that these sites use accelerometer data to monitor ad interactions, check ad impressions, and to track your device.
Or where they just don't have the resources. None of this explains why Safari's WebRTC implementation was busted, or why a lot of their CSS was lagging.
it's a bit of both. safari often also fails to implement sensible features in a reasonable timeframe (my personal grudge example is webp), but I do agree that chrome/google is also doing its best to choke out all other engines via API attrition