The argument Apple is making from my understanding is that to comply with the law the system must allow other browsers and have a system setting of the default browser.
Currently PWA's open in an app that wraps Safari's engine to display the content and provide features but is not normal Safari. They interpret this to violate the browser choice law.
Their solution is to turn that feature off and go back to the icon just spawning the system default browser just like any link since that feature already existed.
To support true PWA's they probably have two choices:
1. Implement a standard WebView API that any engine can support then use that web view api for the PWA shell.
2. Do what Android seems to do and have a api that allows an app to create new launcher icons separate from the main app that starts the main app with parameters like url=https://pwa.com mode=pwa. Then if you create a PWA from Chrome it spawns Chrome if created from Safari it spawns Safari with whatever PWA UI they want. On Android it seems to make a little icon bottom right letting you know the parent app.
#1 is arguably more complex than #2, both are new api's for iOS that don't exist. #2 is on most desktop OS's like MacOS but not on iOS as far as I know.
Apples position is they don't want to put any resources in to creating a new api that could introduce new security surface area unless mandated to. Obviously their motives are not pure but it is a defensible position.
I think #2 would be a good feature adding flexibility to many apps, but the various shenanigans that apps could cause with that would need to be considered.
I think it's less a preference question and more whether Apple thinks saving PWAs with a third party browser and then launching them with Safari is compliant with the DMA.
Handwriting a 30 page assessment questionaire, fumbling a camera take relevant photos, and then manually correlating the photos to the assessment questions as it's written up properly... Is somehow better than a PWA?I
PWAs aren't a golden hammer, but they're not as useless as your opinions.
How would suddenly disallowing users to run a PWA that worked for years improve platform security? How would having Spotify be able to use their own subscription system compromise platform security?
Being able to install software without needing an OK from the hardware manufacturer has been standard for over 40 years now. People do it on Windows PCs, on Linux PCs, on MacBooks and on Android phones, and that very clearly has not caused the extinction of the dinosaurs yet :)
The document Apple has published to me reads like it's written by a 5 year old that just was served too many sweets shortly before bed time.
IMHO this is about revenge, not about platform security.
They are not allowed to give their browser an advantage under the DMA. If you take a look at BrowserEngineKit and BrowserKit there is a significant API surface area they offer for third-party browser engines. They must have been building this for some time. It's really detailed, down to allowing developers to implement their own JIT! [1] they have custom UI components replacing their standard scroll views with ones that better support nested scrollable DOM elements. It's a staggering amount of engineering effort
I can totally believe that there is not enough time to re-think and re-architect how to implement push notifications, local storage and whatever other perks PWAs get for non-Safari third-party browser engines running as "apps." They may have lots of money and engineers, but throwing more of them at this problem is not going to build a well designed, thoroughly tested, and secure implementation any faster
I am not even sure that the EU has mandated that PWAs must be able to run in other browsers. Did you see any such regulation?
From what I understand, the regulation is about allowing users to install third-party apps including browser and of course PWAs. I doubt they mandate what browser engine the app uses, that's the apps business only.
I think the DMA mandates that Apple not give Safari advantages over other browsers. Being able to run PWAs seems like it could be considered an advantage? Not sure though
It's pretty obvious. They're not disallowing it. They are removing the integration with the home screen so that it will run in third party browsers. That limits it to the smallest common API surface which is "open link". Everything else was a luxury.
I don't think you work in IT if you haven't had an infested windows, android or macOS box before. Hell I just spent the other day cleaning my father's Mac out of two VPN turds fighting with each other he installed after watching crap on YouTube. My daughter's windows machine got destroyed by unsigned crap from a Sims mod. You just don't get that on iOS apart from the odd calendar subscription turd.
As for spotify, they use their own subscription system, not the app store.
Not my intention to brag about it, but I run an R&D company and have invented and patents on quite a lot of network technologies :)
The only time in my life where I had an infected devices was in the year 1993 - a boot sector virus on a floppy disk I got from someone.
Luckily my wife is a nerd, too, by sister is trained and has not yet fallen for any of the social engineering tricks before. So no, I do not have to deal with other people's infected boxes either.
Well, on the other hand it implies that most of my family is dead and buried already, and therefore would have a hard time annoying me with their IT problems.
If that's a good deal is a matter of perspective ;)
No. A PWA has exactly the same storage access, code etc as a normal web page. A PWA is set apart by having a manifest, which defines how it should act as an app. It has certain extra capabilities like accepting shares and so on, but it is not radically different from a web page.
That is saying it uses a different storage area for the same thing and you presumably end up with different service workers between web and the app. Is that a good thing? My guess is they had no other choice.
Every browser other then Safari has the same storage for both PWA and website. Apple claims separate storage is "great for privacy" -- forcing you to use the cloud to sync between the PWA and the website.
>> Microsoft does it all the time with Edge on Windows.
Edge on windows, the same edge on windows that got caught slurping up chrome tabs recently?
Browsers are now the same size code base wise, as operating systems. They are in fact tiny OS's with permissions models and execution environments.
I think the author makes the point that safari made a lot of progress, they paid for a lot of work, that they are throwing away. Spite is a reason, but security is also a reason... We have seen how bad things can be when browsers cohabitate on desktops, putting up hard walls now solves the problem before it starts. Phone users aren't loosing (much) of anything, taking away something that they didn't have and didn't exist MIGHT be for security reasons...
Aren't apps already sandboxed from eachother on both major Phone OS', unlike on Windows? So on that end something like Edges snooping around other browsers isn't even possible.
If the video leaks due to shitty (pun not intended) sandboxing that is rightlfully on Apple (when on iOS), if it leaks due to the browser being broken then it is on Google and if it's due to an explicit modification of Samsung (when talking about Android) it's on Samsung.
When Facebook has a bug/exploit in their app that results in X hacker being able to gain access to files stored within the sandbox of Facebook noone is blaming Apple for Facebooks bug.
I feel like the reason most users don't care if they lose access to PWAs is because they haven't had much expose to them. Apple would prefer people continue to use stuff from their app store instead of PWAs and so they're squashing our opportunity to get to know and like them. It's yet another attempt to lock us into their app store
> Your non-technical family members and friends will likely fall for these at some point. For their sake, disable them.
As the famous proverb says "give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime". The best way to "fix" phishing attacks and malware is by making people more "technical". The only way to eliminate these phenomena is by educating people about what a Push Notification really is and that you simply don't have to click it.
The Web needs to be a competitive platform for apps next to the closed and "gated" App Stores. I think that we should not dumb down web browsers to simple page viewers.
I've been around the tech world for a few decades. This sentiment has often been repeated about things like this, but I no longer believe that it's viable. The tech world is just too fast-moving, which means there's not really any such thing as "education". If you manage to teach someone something, it'll probably be out of date in a year or two, if not less. You have to pay attention to the latest trends all the time to really be knowledgeable about it. That just isn't going to happen.
> The best way to "fix" phishing attacks and malware is by making people more "technical".
I've been trying to do this for 25 years. It has yet to be successful. Especially since the vectors of attack change constantly.
> The Web needs to be a competitive platform for apps next to the closed and "gated" App Stores. I think that we should not dumb down web browsers to simple page viewers.
Disagree 100%. With native(ish) apps at least I can do things like block internet access if I don't want them to "phone home". I can also downgrade (or not upgrade) them if they push regressive "updates". Web apps take all control away from the user. We need ways of running whatever we want on mobile. But using web apps as a workaround is a cure that's worse than the disease.
I've managed to get my parents to be suspicious about emails and phone calls, to forward me anything they're unsure of, to reply to any communications purporting to be from their financial institutions by calling back with the number on their card or statement, to install updates as soon as they become available, to use unique passwords for everything and so on....but I still regularly find malicious extensions installed on their browsers and homepages set to some fake version of Google.
I continue to try to educate, but nowadays I make sure they always have ad blockers installed (I believe most of the tricks they fall for stem from malicious ads) and I try to lock things down and disable features where it makes sense. I dislike the locked down world of iOS and what has become of MacOS, but I appreciate having it for devices they use. This is part of my job, I think about this stuff every day and I still worry I can't keep up, so I can't really expect the same from them.
> If I remember correctly they even removed C1 instances thus increasing the price of their “cheapest” option from ~€3 to ~6€.
I went ahead and checked Scaleway's pricing[1] and indeed their cheapest "development instance" is €0.01/hour, which translates to over €7/month.
Meanwhile, Hetzner offers a slightly beefier instance type at €0.0065/hour, €4.15/month, and at €0.0095 you can get an instance type that comes with twice the RAM [2]
I miss the C1. I was very happy with it from a technical perspective, less happy about their staff rarely updating the enforced boot script setup, letting them run on old outdated kernels. The official reason for decommissioning them was hardware instabilities, same reason they gave for ending their Arm64 offering. I ran a C1 server for 3.5 years and an Arm64 VPS for 1 year without a single problem.
Been waiting for this for so long. Especially the BroadcastChanel feature since there is currently no way for PWAs installed twice on the Home Screen to “share” data between them. Hope that BC fixes that
Imagine how much code like this is inside our "lightweight" browsers.
All the code reviews that passed this on to production make you wonder how competent these browser makers actually are..
I think that the browser should not treat every input field as a personal info form for the current user. There are plenty of cases of web apps I can think of where disabling autocomplete is best user experience overall.
It scares the hell out of me thinking about this type of hacky trash anywhere near crypto or sandbox code. I like to think that they have more experienced people working on that, but I'm not quite naive enough to really believe it.
Nice guide and love that it included WebPack for modern development.
I think the SVG with prefers media queries is not covering all cases, for example Chrome Anonymous dark “theme” and other user selected “themes” are impossible to check how they paint the background of the favicon area. So..the perfect solution in my view is still somewhere out there..
I wonder how much of Wave's death was from resistance from inside Google(GMail team, or even other execs). Fear for the destruction of GMail even from another Google product.
PWAs are already a separate “island” of storage and share nothing with Safari App…
Microsoft does it all the time with Edge on Windows.