Technically, Google isn't wrong about this...
-
-
Notifications on the left? Gross.
-
@Lorne_Kates said:
I didn't even know browsers had a "Notification" functionality. I've never in my life seen that.
Everyone seems outraged at either Discourse or the browsers but...
Blame W3C.
On my Linux PC it's randomly either top right or top left ...
Consistent top right for me (I imagine it would be bottom right if I was a weirdo who puts his panel on the bottom).
-
Why is it only things with "apps" that have fine-grained permissions systems? Why can't desktop operating systems do that as well?
OS X has a privacy section in the system prefs where you can decide which programs get access to your contacts, location, etc. in much the same way as on an iOS device. This gets you warnings like:
-
so a plain old SecurityException would probably be your best bet there...
It's Java, of all languages. The darn thing won't compile if you don't handle checked exceptions.
Of course it wouldn't stop bad coders from
try{}catch{/*ignore*/}ing, but at least it would force them to think a little for a fraction of a second.
-
@Lorne_Kates said:
What kinda of doorknob-dead shit is Discourse trying to do that would use it?
Notifications. It says right in the message.
-
WinPhones have had a permissions system where apps asks for certain permissions, such as using GPS location data, as they need them.
That was in Symbian millennia ago already. Blame the Google policy of making it idiot-friendly by hiding stuff.
Actually, as necessary as those permissions are, I suspect most users are not able to understand them anyway, so they are not actually helping the security anyway.
-
Fairly sure
SecurityExceptionis aRuntimeExceptionthough. Given how unlikely it is to be thrown in a normal environment.
-
Consistent top right for me (I imagine it would be bottom right if I was a weirdo who puts his panel on the bottom).
Does this count as top right if it's also covering the top left?
-
0/10 would not notify again
-
If I got to call the shots, one would have to implement a callback interface with different methods for the success and failure paths. As annoying as that would be (in particular in verbose Java), it would have the advantage of being able to support an asynchronous authorization process.
Unless someone has a better suggestion.
-
Everyone seems outraged at either Discourse or the browsers but...
Blame W3C.
I'm willing to blame all three of them.
-
Eh, I don't really know if there's a need for an async auth process... If you're authorizing, there's either going to be a popup (blocking UI) or it'll happen pretty much instantly. Making
SecurityExceptiona checked exception (or making a different exception class) is definitely a good idea though, because then at least people have to handle the error. They mightON ERROR RESUME NEXTbut at least you're making people think about it...
-
Making SecurityException a checked exception (or making a different exception class) is definitely a good idea though
Agreed.
-
At this point, is it feasible for Android to introduce more fine-grained permissions, assuming that breaking thousands of existing apps is not an acceptable outcome?
-
Aaaaand there's the 800 GB gorilla in the room.
I suppose they could introduce those changes in the next version of the Android API, but only code built against that API version would have that capability. And it would break on older Android versions. And old apps wouldn't magically work. And you'd get compile time errors on previously working code (Not that that should be a surprise, given Gradle...)
-
I could post any YouTube video to show first-hand how Google can do anything without caring what they break.
More seriously, while I do think it's feasible, I agree it's something that should be done progressively for the reasons @sloosecannon has mentioned.
-
And it would break on older Android versions.
That one specific issue should be mostly solvable already: you can specify a minimum API level on your apps, and the store won't even show them to you if you are on an older version.
-
Well yeah, but then your app wouldn't be available on older devices. Which, unfortunately, cuts out a huge market...
-
Why is it only things with "apps" that have fine-grained permissions systems? Why can't desktop operating systems do that as well? Why is it just three-state "program is not running" -> "program is running as user" -> "program is running as admin"?
Because "we've always done it that way".
-
@Lorne_Kates said:
I didn't even know browsers had a "Notification" functionality. I've never in my life seen that.
I have no idea how you guys have missed this over the last, what, 3 solid years it's been in Chrome. You're not the first.
-
I have no idea how you guys have missed this over the last, what, 3 solid years it's been in Chrome
I think I was aware of it as a feature, but I don't remember any site apart from GMail actually using them
-
I have no idea how you guys have missed this over the last, what, 3 solid years it's been in Chrome. You're not the first.
I have literally never seen a site ask to have notifications before I mentioned it last week.
-
I'm probably going to be using them on my work project tbh. Been eyeing the tech for ages now but the support was iffy.
We were considering building a separate application for it, but since the support is getting good we can probably get away with browser notifications now.
Having them in HTML spec is a bit close to crossing the line of what a webpage should be able to do on a system, but it's a godsend for some applications.
-
I can think of a number of places they'd be more useful in LOB-type applications. Running any kind of long-running job that you initiate from a browser, for example. "Your TPS report is ready", or "the payroll process has completed".
-
Yup. For my use I'd love it if you could put buttons in there too that communicate with the site that triggered them, but from what I can tell that's not doable.
And yes, I know, it would probably be a horrible idea. But damn would I like to have it for this one specific case.
-
I have no idea how you guys have missed this over the last, what, 3 solid years it's been in Chrome. You're not the first.
First, Firefox. Second, because no other site is stupid enough to use a feature like this. Here, let me show you the lifecycle of features like this:
- "You know what browsers can't do? X" Yeah, for security reasons, browsers can't... "FUCK SECURITY IMPLEMENT IT!"
- Feature gets implemented instantly, haphazardly, and without regard for the impact it will have
- Feature sits languishing, never used by anyone because it doesn't work right, and it doesn't work across all browsers.
- Someone decides how to either spam or hijack with this feature. Usually both. Users discover the feature this way. Feature X says: "BUY VIAGARA AND CHANGE PASSWORD AT SITE paypal.com.fuck [OK] [OK]".
- Browser makers scramble to throw tons of shit security ontop of it. One or all of: It's turned off by default, there's no UI to activate it, and any time it's used it requires explicit permissions via a popup.
- So no one codes for the feature, because only 1% of the use cases for it are legitimate, and AJAX exists.
- No one enables it because of the extreme negative experiences they've had. It isn't worth 99% of shit for that 1% site.
- Despite all this, one dumb fucking asshole will still make their site dependent on it, making sure the feature cannot be deprecated or removed. That dumb asshole is surprised when no one knows what the feature is, refuses to use it, and their software is eventually exploited because of it.
(For the record, I'll leave it up to the reader's guess as to which software developer #8 refers to).
If I knew how to do tags in this shit pile, I'd tag this ActiveX and Java Plug-In.
-
@Lorne_Kates said:
no other site is stupid enough to use a feature like this.
I saw it on a tv station's website. I'm pretty sure @boomzilla saw the same article on the same site.
TV stations are some of the assholiest sites out there; they've all already got "GET OUR APP INSTEAD OF OUR WEBSITE." I'm actually, now that I know about notifications, surprised they aren't all already using them.
-
I have no idea how you guys have missed this over the last, what, 3 solid years it's been in Chrome. You're not the first.
Discourse-based sites are the first I've used which have used this, though.
-
@Lorne_Kates said:
8) Despite all this, one dumb fucking asshole will still make their site dependent on it, making sure the feature cannot be deprecated or removed. That dumb asshole is surprised when no one knows what the feature is, refuses to use it, and their software is eventually exploited because of it.
GMail? Steam web chat?
-
I fail to see the security concern, since literally the only thing you can do with the notifications is have a page open when you click them. After you've approved the request to show the notifications.
Chrome's (and presumably Firefox, don't know for sure) handling of notifications is pretty much exactly like I'd expect it to be - Sites pop up a standard Chrome notification (which plugins can do anyways...), you click it, it takes you to the site. It's not like this is really opening up a security hole or something - it's just a notification. Very easy to turn off too, you click the UI element the permission popup thing came from in the first place and disable them... Can someone spam them? Sure. Someone could also spam
alert("HI")or any other number of annoying Javascript things. I don't see how this is anything worse than what's already there, and the benefit of getting notifications from things like Gmail, and even *gasp* forum software, far outweighs the tiny vector of abuse.
-
As annoying as that would be (in particular in verbose Java), it would have the advantage of being able to support an asynchronous authorization process.
The Java way is to just do that in a separate thread if you want asynchronous… well, asynchronous anything.
I think the Java way is dumb as hell.
-
I saw it on a tv station's website. I'm pretty sure @boomzilla saw the same article on the same site.
Yes. I have desktop notifications on for gmail, since I typically have it open in a tab. Though I thought I'd installed an extension or something to make that happen. Maybe I didn't. Whatever.
TV stations are some of the assholiest sites out there
Freakin' autoplay is the worst. Especially when it's a delay, and you open up a tab in the background and it starts at some apparently random time.
-
I fail to see the security concern, since literally the only thing you can do with the notifications is have a page open when you click them. After you've approved the request to show the notifications.
If you fail to see the security or abuse concern with giving random websites the ability to display cross-tab notifications, OR to steal focus OR to provide a pathway out of the browser sandbox & interact with the desktop-- well, enjoy cleaning up that mess from your mom's computer when it lands.
-
GMail?
I use GMail and it's never once caused that same browser warning of "Gmail is trying to do some dumb shit, do you want to let it?"
Steam web chat?
I don't use Steam, so I couldn't say. Any other site I've been on with web chat (including Gmail) doesn't use it either.
-
@Lorne_Kates said:
If you fail to see the security or abuse concern with giving random websites the ability to display cross-tab notifications,
There are minor concerns, granted. That's why you need to approve the site first...
@Lorne_Kates said:OR to steal focus
Yep, that would be concerning
@Lorne_Kates said:OR to provide a pathway out of the browser sandbox & interact with the desktop
Yep, that too
@Lorne_Kates said:-- well, enjoy cleaning up that mess from your mom's computer when it lands.
Fortunately the last two aren't what this feature does...
-
@Lorne_Kates said:
to steal focus
@Lorne_Kates said:provide a pathway out of the browser sandbox & interact with the desktop
FUD much?Browser notifications pop up a small window that doesn't steal focus and acts like a hyperlink. That's it.
-
@Lorne_Kates said:
I use GMail and it's never once caused that same browser warning of "Gmail is trying to do some dumb shit, do you want to let it?"
Take a look in your settings:
If those are off, then it's not trying, so it doesn't need to ask. I don't recall if it asked me when I turned that on whenever I did that. Probably shortly after chrome got notifications.
-
@Lorne_Kates said:
If you fail to see the security or abuse concern with giving random websites the ability to display cross-tab notifications
AFTER you allow them to. And they don't inject into the tab you're looking at or anything.
@Lorne_Kates said:
OR to steal focus
Only if your window manager is retarded. Is it?
@Lorne_Kates said:
OR to provide a pathway out of the browser sandbox & interact with the desktop
As does any extension, potentially. @aliceif XSSed an extension @Yamikuronue was running just the other day by complete accident.
@Lorne_Kates said:
OR to provide a pathway out of the browser sandbox & interact with the desktop
Just like your entire browser? Security vulnerabilities can pop up anywhere, not just notifications.
It's as every other feature or a piece of software. Can it be broken? Probably. Will it be? Likely. Is it any worse than any other piece of software on your computer? Probably not.
-
Freakin' autoplay is the worst. Especially when it's a delay, and you open up a tab in the background and it starts at some apparently random time.
Those are the worst. I think I mentioned this here: By spells, I use Wowhead a lot, and I actually whitelisted them in ABP. Then I noticed that they would start an autoplay ad after about 5 minutes. It was horrible, before Chrome started putting the speaker icon in the tabs. Because of that it took me a few tries to figure out it was them, but off the whitelist they went.
I probably should send them a cranky email saying that I unwhitelisted them specifically because of that. they might pay attention. Probably not, but maybe.
-
Browser notifications pop up a small window that doesn't steal focus
Mine did.
FIREFOOOOOOOOOX!!!
To be clear: it stole focus while I was typing on a textarea on the same tab.
-
@Lorne_Kates said:
OR to steal focus
Nothing should steal focus. Ever. The only case where a newly created window should get focus is if it was created based on a specific input event from me, and I did not touch my keyboard or mouse since.
-
+++++++++<body is invalid, try to be a little more descriptive
-
There are settings for this in some WMs. I keep mine at "no, don't focus shit, thanks" (which is the default in 99% of cases), but there are settings.
-
-
Yeah, maybe. They seem to be enjoying adding new icons on the toolbar out of the blue lately.
-
Yeah, maybe. They seem to be enjoying adding new icons on the toolbar out of the blue lately.
I've never, ever been happy with FF, all the way back to the very first public beta of Netscape. I've used it when it was the best and/or least annoying browser, but I've never liked it. When Chrome became usable, I dropped it and never looked back.
I open it, occasionally, to verify web pages I work on, work with it, but that's it these days. And I even do that from another computer, heh.
-
Browser notifications pop up a small window that doesn't steal focus and acts like a hyperlink. That's it.
Chrome's first implementation was a buggy piece of shit and would steal focus and minimize fullscreen games.
I'm still bitter, so I never turn it on out of spite. It's probably fixed by now though.
-
It definitely steals focus on Chrome as well.
-
OR to steal focus
Only if your window manager is retarded. Is it?
Mine did.
FIREFOOOOOOOOOX!!!
Chrome's first implementation was a buggy piece of shit and would steal focus and minimize fullscreen games.
It definitely steals focus on Chrome as well.
I'll refer back to my earlier comments about it being a horribly implemented piece of shit that, even if they do eventually get it right, will be blocked by a majority of users because they don't trust it to work properly. Since it's blocked, the only people who will try to use it are:
- idiots who don't know most people block it, and will get angry when their webpage that relies on it doesn't work
- idiots who don't know it's a piece of shit feature, and will get angry when their webpage that relies on it doesn't work
- spammers who will throw every piece of shit against the wall they can in hopes of shoving another ad in your face
- Malware bots who try every security hole to catch the idiots who haven't disabled the feature yet.
Notifications API Standard
