[threeseed]

On iOS you can't disable functionality in that way.

Objective-C allows dynamic dispatch to private API methods which would be just fine to do on third party app stores.

As I mentioned above the issue is likely related to engines being able to cache the system prompts approvals across multiple PWAs effectively bypassing them.

[lxgr]

The third-party browser could just have its own prompt until Apple delivers their API, no?

On macOS, I already have to both grant Firefox permission to access camera, and then Firefox asks me about every website trying to access it individually, using their own UI.

[threeseed]

So you want to hand over control of who has access to the camera, microphone, photos, contacts to random browsers.

Or to companies like Google and Meta for advertising purposes.

[lxgr]

Did you read my comment? You still need to grant the permission to the browser in the first place.

This isn't any different from how it works already for all kinds of apps: If you grant Zoom the permission to access your camera, you do that once, and have to trust it on a per-call basis to not turn on your camera without your explicit consent.

If you don't trust your third-party browser to respect your choice as to which websites you want to grant access to your sensitive data, you probably shouldn't be using it, or at least not grant it access to that data in turn.

[threeseed]

Websites today don't have access to my contacts, messages, photos etc.

And you may be happy changing the status quo to allow that but I think it is a terrifying proposition.

[lxgr]

How would websites get access to your contacts? Just don't grant access to your contacts to your browser, whatever it is, problem solved!

The same applies to photos. iOS even has an API to let you pick a single photo to upload/share with an app that doesn't grant any access beyond that. And for messages there isn't even an API in the iOS sandbox.

Maybe you could clarify your concern; as far as I understand it, nothing whatsoever is changing on iOS due to the DMA in this regard (and I wouldn't want it to).

[jwagenet]

I think the concern/problem is you might want a pwa to have access to contacts, but you don’t want to provide contact access to the entire browser in this scenario since you may not trust the browser/other websites.