[ocdtrekkie]

Much of the Chrome-introduced API surfaces which aren't supported in Safari tend to be about direct access to hardware. WebUSB, WebSerial, Bluetooth API, WebXR API, etc. etc. etc.

I would generally consider the introduction of these APIs to be hostile to average users: Each one adds a new fingerprinting vector, an extremely easy malware vector, and the protections Chrome team and standards folks have designated are woefully inadequate: Average users accept basically anything, and nobody on the Chrome development team has learned that yet.

[cromwellian]

They don't introduce a fingerprinting risk if there's no permanent acceptance, only session based acceptance locked to the origin domain. And you're bashing WebXR? Without WebXR, we couldn't even have VR/AR displays work on the Web. The lack of WebXR would be hostile to any user who owns a VR headset these days.

So what, you want VR/AR to be centralized to app stores only, or to a Facebook metaverse? Because that's what's going to happen if there's no way to author and host your own VR software.

And most of the fingerprinting risk being used in the field hasn't even come from these newer APIs, but from much older APIs which surfaced versioning information or HW specific limits, or rasterization differences, without requiring any permission dialog. For example, canvas fingerprinting. Even plain old CSS could be used to detect previously visited links by styling a button and measuring it (before the bug was fixed) None of those were behind any kind of permisson dialog or container.

Can you provide an example of some ad network using WebUSB or WebSerial or Bluetooth in the wild?

[ocdtrekkie]

> And you're bashing WebXR? Without WebXR, we couldn't even have VR/AR displays work on the Web. The lack of WebXR would be hostile to any user who owns a VR headset these days.

So, this is actually a huge part of my point, thanks for bringing it up. Nobody has a VR headset. I actually do have a very expensive VR headset, and it's sat in the box for a few years since I initially played with it. There was a craze three years back where everyone got one of those stupid Cardboards or a knockoff of it for Christmas, everyone hated it, and Google doesn't even support them anymore. I think Dell sent me one to promote one of their product lines once.

The problem here is Googlers have a completely unrealistic worldview, where stuff like having VR/AR displays work is something anyone actually cares about today. Go to a senior living complex, sit down with someone who is not in the tech industry, and see if you can help them figure out how to clean all the notifications permissions and sleezy browser extensions out of their Chrome install. Tonight I'm stopping by my parents' because my mother thinks a pinned site on her new tab page is something installed on her PC, and she wants it gone.

There are real world things Google could do to make their web browser help real human beings, but piling in new hardware APIs and then complaining other browser vendors aren't doing the same isn't what that looks like.

You should not be compromising your browser's core surface for something that at best applies to 1% of the population. Maybe these APIs have a use... as a separately installable plugin to add the functionality to the browser for the extremely niche crowd that needs them. This is true of connecting your serial device or your MIDI music interface to your browser too: It's just not something that belongs in a standard web browser toolset, and it's yet another thing I have to shut off to keep people safe on the web.

[cromwellian]

> Nobody has a VR headset.

Atleast 2 million Oculus Quests have been sold. And if no one has these devices, then WebXR is mostly useless for fingerprinting anyway.

> I actually do have a very expensive VR headset, and it's sat in the box for a few years since I initially played with it.

Goody for you. I have a Switch, Playstation, and Xbox that mostly sit rusting on the shelf as I mostly play PC games with mouse/keyboard. So therefore, my anecdote transfers to everyone?

> The problem here is Googlers have a completely unrealistic worldview

No, the problem here is, you have a derangement syndrome around Google. You rarely mention Facebook for example. Every company is working on AR/VR. Facebook, Microsoft, and Mozilla contributed major parts of the spec, but I'd say Facebook cares way more about VR these days than Google and they are betting the future of their company on it.

> It's just not something that belongs in a standard web browser toolset, and it's yet another thing I have to shut off to keep people safe on the web.

Maybe you have a point with MIDI, but musicians would probably disagree, but USB devices are ubiquitous, and VR/AR will be in the tens of millions of users within a few years, 6.1 million units predicted to be shipped this year, that's an exponential gain. And we all know that once Apple ships AR glasses, it'll explode further.

The real irony of your post is, if Facebook succeeds, Oculus will own a majority of the market, and they will control VR browsing in a Chrome fork (Oculus Browser), so they will put whatever APIs they wish into it, and Google nor Mozilla's opinion won't matter.

And if VR/AR becomes way more popular, which it seems poised to do, the fact that Chrome is 'safe' won't matter very much, and Google and Firefox will both end up implementing whatever Facebook wants to make it into their app store.

> Go to a senior living complex, sit down with someone who is not in the tech industry, and see if you can help them figure out how to clean all the notifications permissions and sleezy browser extensions out of their Chrome install.

How about you check their iPhones for how many recurring subscriptions they've been tricked into buying "1 month free", and forgot to cancel. I regularly find these on ordinary people's phones. They install apps, start a 1-month trial, and end up paying $5-10/mo zombie subscriptions for a long time before they notice.

But hey, notification permissions are the real problem, not their bank account being drained.

[ocdtrekkie]

> No, the problem here is, you have a derangement syndrome around Google.

https://news.ycombinator.com/newsguidelines.html

> You rarely mention Facebook for example.

Facebook is incredibly easy to not use and block. Google is a monopoly in almost every space it operates in, and I've been trying to escape the great beast for five years, and I still encounter a new problem daily that can be summed up with "someone at Google thought this was a good idea, and now we have to deal with it".

Facebook is trying crazy things because it is having an existential crisis with the reality that the most profitable target demographic does not care about Facebook anymore, and probably won't any time soon.

> Maybe you have a point with MIDI, but musicians would probably disagree

I think musicians can install some sort of feature pack that adds these sorts of APIs, as everyone else doesn't need them, and a massive bloated attack surface is a bad thing to do to web browsers just for the sake of a single group. (I similarly think if you buy a VR headset, you could probably install some addition to your browser along with the inevitable hardware driver nonsense and setup.)

> if Facebook succeeds > if VR/AR becomes way more popular, which it seems poised to do

I do not think Facebook will convince everyone to strap monitors to their heads. It isn't the sort of concern that outweighs the massive problems I see day to day in real world scenarios.

> check their iPhones for how many recurring subscriptions they've been tricked into buying

This is arguably a very good concern, but Apple is probably the least worst offender here, as they wrap all those subscriptions into a single UI where you can easily remove them without having to call someone on the phone. Checking someone's credit card statement for these is far, far worse, and incredibly hard to get rid of. (Six months, two Better Business Bureau complaints, and a credit card dispute later, I finally cancelled a subscription recently.)

[mtomweb]

Explain the fingerprinting vector of Web-Bluetooth and how it compares with CoreBluetooth? No one else has been able too

[smoldesu]

Then leave them disabled by default and prompt users to hand over control if a website wants it?

[threeseed]

We have decades of experience about how this works in the real world. Which is that most people will blindly click whatever button is there in order to get the site to work.

For features which compromise privacy or security it’s not an acceptable approach.

[smoldesu]

That's a non-issue. If fingerprinting is your concern, people aren't going to blindly tap through 3-5 "allow ____ access to your device" dialogues before they get the hint. If it is dangerous, then Apple could issue a warning in the notification explicitly telling people that it could compromise their browsing.

WebRTC and WebMs don't compromise security anyways. Apple just reaches into their bag of canned excuses and happened to pull out "security" this time.

[ocdtrekkie]

I think you missed the point: Nobody reads the warnings or notifications. Which is why it's absolutely an issue.

And yes, I routinely revoke permissions for dozens of sites from all sorts of Chrome permissions that the user doesn't even remember visiting, much less authorizing. People just click stuff.

[sangnoir]

That would lead to web apps being as useful as some App Store apps, and that is harmful to App^w the users.