> TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling “push notifications,”
Why is it even possible for hostile code (i.e. JavaScript) to send OS-level notifications? If clicking a link runs untrusted code with layers of legal insulation, that code should run in a very limited sandbox. It's crazy that we're turning the "Open Web" into an ever-expanding attack surface.
Because people turned browsers into an app platform and users wanted their webmail and chat services to have the same first-class features native clients had.
Who wanted their web browser to let hostile programs send notifications and access battery levels, unused fonts, etc.? Ad companies run the web standards bodies, so "people" (i.e. you and me) have to deal with this.
In all fairness, some of these things you've mentioned could be useful. If your battery is low, reprioritize the webapp's functions, lower requests, disable anything not necessary in the moment.
Notifications are just another convenient thing that me and you use every day.
Perhaps these things should be disabled by default, or requested upon being needed, but that's not really your argument it would seem.
"Requested upon being needed" might work if it weren't possible for sites to get around it by probing and popping up their own "yes / ask me again later" dialogs. Have the APIs ask on the first call, with a "yes/no + make answer permanent" dialog, and return fake data if the answer is "no." If people were sufficiently annoyed by constant requests for stuff a basic webpage wouldn't seem to need, the web might become a better place.
But yeah, web browsers basically run arbitrary code written by hostile companies, with layers of indirection to confuse accountability. In that environment, you have to weigh "nice to have" against "could be abused," and err on the side of caution.
> In all fairness, some of these things you've mentioned could be useful. If your battery is low, reprioritize the webapp's functions, lower requests, disable anything not necessary in the moment.
This kind of automated perfomance tuning is almost always more annoying than useful.
> Notifications are just another convenient thing that me and you use every day.
You don't call any OS level API from a website. The browser makes and shapes the notification for you. If the notification cannot be traced back to your browser, blame your browser vendor for their bad design.
That said, no amount of good browser design can protect a computer from people who don't know what they're doing. I recall a recent malware campaign where a similar mechanism was used, but instead of "click this button, go to site settings, click notifications, click allow", it'd show "copy this, hit windows+r, hit ctrl+v, then press enter to confirm you're human".
As computers continue to be dumbed down, I don't expect computer literacy to rise to a safe level any time soon. It's a matter of time before executing downloads from the internet becomes impossible.
Why is it even possible for hostile code (i.e. JavaScript) to send OS-level notifications? If clicking a link runs untrusted code with layers of legal insulation, that code should run in a very limited sandbox. It's crazy that we're turning the "Open Web" into an ever-expanding attack surface.