Safari is still hostile to PWAs, even on macOS Big Sur

 Safari is still hostile to PWAs, even on macOS Big Sur

Apple wrapped up their annual WWDC conference last week, where the company showed off a number of updates to various Apple products and services. Among them were updates to the next version of macOS Big Sur and its built-in browser Safari.

In what Apple says is an effort to protect the privacy of its users, it will not implement of number of advanced web app technologies:

  • Web Bluetooth – Allows websites to connect to nearby Bluetooth LE devices.
  • Web MIDI API – Allows websites to enumerate, manipulate and access MIDI devices.
  • Magnetometer API – Allows websites to access data about the local magnetic field around a user, as detected by the device’s primary magnetometer sensor.
  • Web NFC API – Allows websites to communicate with NFC tags through a device’s NFC reader.
  • Device Memory API – Allows websites to receive the approximate amount of device memory in gigabytes.
  • Network Information API – Provides information about the connection a device is using to communicate with the network and provides a means for scripts to be notified if the connection type changes
  • Battery Status API – Allows websites to receive information about the battery status of the hosting device.
  • Web Bluetooth Scanning – Allows websites to scan for nearby Bluetooth LE devices.
  • Ambient Light Sensor – Lets websites get the current light level or illuminance of the ambient light around the hosting device via the device’s native sensors.
  • HDCP Policy Check extension for EME – Allows websites to check for HDCP policies, used in media streaming/playback.
  • Proximity Sensor – Allows websites to retrieve data about the distance between a device and an object, as measured by a proximity sensor.
  • WebHID – Allows websites to retrieve information about locally connected Human Interface Device (HID) devices.
  • Serial API – Allows websites to write and read data from serial interfaces, used by devices such as microcontrollers, 3D printers, and othes.
  • Web USB – Lets websites communicate with devices via USB (Universal Serial Bus).
  • Geolocation Sensor (background geolocation) – A more modern version of the older Geolocation API that lets websites access geolocation data.
  • User Idle Detection – Lets website know when a user is idle.

“WebKit’s first line of defense against fingerprinting is to not implement web features which increase fingerprintability and offer no safe way to protect the user,” Apple said.

Apple claims that the 16 API’s in the list would allow online advertisers and data analytics firms to create scripts that fingerprints users on Safari and track them across the web. Fingerprinting began its rise in response to ad-blockers and other browser level anti-tracking measures. “WebKit’s first line of defense against fingerprinting is to not implement web features which increase fingerprintability and offer no safe way to protect the user,” Apple said.

For Web APIs already implemented in Safari years before, Apple says it’s been working to limit their fingerprint ability vector. So far, Apple said it:

  • Removed support for custom fonts. This means only presenting built-in fonts which are the same for all users with the same system.
  • Removed minor software update information from the user agent string. The string only changes with the marketing version of the platform and the browser.
  • Removed the Do Not Track flag, which ironically was used as a fingerprinting vector, adding uniqueness to the users who had enabled it.
  • Removed support for any plug-ins on macOS. Other desktop ports may differ. (Plug-ins were never a thing on iOS.)
  • Require a user permission for websites to access the Device Orientation/Motion APIs on mobile devices, because the physical nature of motion sensors may allow for device fingerprinting.
  • Prevent fingerprinting of attached cameras and microphones through the Web Real-Time Communication API (WebRTC).

Okay, Apple protecting us from this sounds great right? Um maybe not so much, let’s examine the consequences of that move.

Self-preservation

The web is celebrating this as a huge milestone for privacy, and it is, but only for Apple devices and that isn’t the only thing we take issue with either. We are not saying that the Safari team is up to anything nefarious mind you, we just believe Apple is motivated by self-preservation more than anything else. If any of them ever brought up the idea of Safari supporting PWA’s to Apple’s leadership team, the room would get really quiet, real fast.

PWA’s are the key and App Stores are the lock

As a part of our three part series starting with The Illusion of platform choice. Part 1 we touched on Apple’s behavior as it tries to protect its App Store and that the App Store is the key to its platform power.

PWA’s are the key seeing more diversity in operating systems and reducing reliance on the App Store model. Who do you think stands to lose the most if PWA’s becomes a success? Yes, that’s right the company that created the App Store Warehouse model in the first place, Apple.

What if we still had WebOS, FireFoxOS, Symbian, Blackberry OS, Windows Mobile, MeeGo and others. PWA’s are the key to more platform choice and App Stores are the lock.

We are hopeful that PWA’s that a user pin’s to their home screen will work reliably and as expected when PWA’s are eventually supported but we are not holding our breath.