An elderly relative of mine was hit by this a couple years back: his computer's desktop was constantly being spammed with messages on startup, and there was no simple way to turn them all off. It turned out that they were all notifications from web workers that he'd inadvertently allowed at some point prior. (I set his browser to auto-deny notifications so it wouldn't happen again.)
What's worse is they look like native OS alerts (on Windows) so when one says "SECURYIRT ALERT!! CALL NOW" it's that much more effective at getting people on the phone with scammers.
Communication platforms; messaging apps (Slack, Discord etc); email sites (gmail and co.) also make sense. Financial platforms (banks, Stripe etc)
Once you start getting out of these two categories, then yeah, it gets silly. No way should an airline website even be allowed to ask to send push notifications.
Google does have a way for Chrome users to not show the notification window (https://yespo.io/blog/google-chrome-will-now-block-abusive-b...) by default (https://support.google.com/webtools/answer/9799829?hl=en) but I really wish that this was flipped, so that Google would first need to approve sites to use notifications, similar to the Public Suffix List.
Your flight is delayed/now boarding/etc?
Your phone needs a web browser or an app. An app for every airline you ever use? You already have a web browser.
They could SMS but its more expensive to send, often even more so for customers on roaming to receive.
Nothing else is universal.
I think there are much better possible solutions. An open notification standard or reasonable pricing of bulk sending SMS would do it.
If browser notification permissions would have a TTL, I'd might considering it. But until this happens I won't allow anyone to send me browser notifications. And even then I'd be very picky.
And yet I’m sure airlines will push you towards the app every time!
Generally, the recommendation is that you get to the airport at least two hours before your flight departs. Ideally, you shouldn't be rushing to try to get your plane.
Granted, the world has changed since that was first a recommendation, but even in today's connected world, it's still a good idea to get there two hours before departure, in my experience.
A lot of delays are known much earlier than that. For example if a flight gets seriously delayed taking off and the plane is going to turn round and return, then the return flight will be delayed.
In any case, once at the airport delays will be announced and shown on screens. Once you get there you do not need phone notifications.
Financial data or travel info is something I'm actively watching, when I travel, just like car traffic. Otherwise, why would I need to know? That's a good question to ask anyway anytime you come across an inbox. I have been in management really long now and designing your information flow strategically is crucial to being effective.
It seems that companies like this can't help but abuse the permissions I grant them, so the result is that they don't get any permissions at all.
I don't understand why people would want that, but neither do I understand the people who actually enter their email address in those "subscribe to my newsletter" popovers.
It's not that there are 0 use cases where it could possibly be convenient to get notifications from a plain site but, like you said with the email example, 95% of the legitimate use cases are probably better modeled as an app anyways.
It's always saddened me that people failed to understand the web platform, and never more so than today when that platform could be on the verge of extinction.
Young people don't remember this: in the 1990s if a big corporation wanted to make a 1-line change to an application deployed to a fleet of desktops they'd have to update every single machine and to do so they'd probably have to hire at least 1 FTE and probably more for installer engineering and other makework.
With the web it is often
git pull
As it is I can find web sites with search, links from other sites, bookmarks and history. If you "install" applications you just clutter up your desktop with 300 icons for applications you don't really use which makes it hard to find the 2-3 that you really use.
> In Firefox you can completely disable beforeunload events by setting dom.disable_beforeunload to true in about:config. Extensions may be needed for other browsers.
A word of caution: I'm not 100% sure, but I wonder if some web collaboration tools might use this to ensure data has been synced with a server.
Having said that, it should never be the end of the world to disable, sites should never have data loss due to this event missing, because if so, they already have a data loss problem when for instance the power goes out.
For copy-paste: dom.event.clipboardevents.enabled=false I would guess.
I think the idea comes from the 2010's hype about Phone-Ifying The Desktop. Someone clearly thought they were recreating the Google Reader / RSS ecosystem (Mozilla had RSS in the browser in a flop)... but everyone else was just enthusiastic about dark patterns that were viable in mobile apps that didn't exist in a desktop browser.
The way it's trivial for browsers to fake OS notifications on some platforms is a clear design flaw, though. I get the need for it (PWAs and such) but unless the website sending a notification is a PWA, there's no need for a notification to be that ambiguous.
The current system, where Chrome (the only browser that matters) collects information about websites and only shows the permission popup on some websites has mostly killed useful notification support for a lot of websites.
- Web-based email
- Web-based chat
That’s it. Every other use case seems to be solving a “them” problem (how do we increase engagement?) and not a “me” problem.
Even if I wanted to hear about updates from a website (and I never do), I could sign up for emails. And If I don’t trust a website with my email, I certainly don’t trust them with sending me push notifications.
In fact, let me take chat apps off that list, because if I don’t have the webapp open in a browser window, the chat app should have the option to just email me about someone trying to message me (and ideally, letting the other party know I’m unavailable and letting them choose whether to send me the email.) So no, really just email and that’s it.
I’m super curious what your use cases are if you use web-based push notifications “all the time”.
chrome://settings/content/notifications Or Settings > Privacy and security > Site settings > Notifications Under "Default behavior," select: Don’t allow sites to send notifications.
------------------
Mozilla Firefox (Desktop)
Settings > Privacy & Security Scroll to the "Permissions" section, find "Notifications," and click "Settings…"
At the bottom, check: Block new requests asking to allow notifications.
------------------
Microsoft Edge
Settings > Cookies and site permissions > Notifications Set the default to block all notification requests.
------------------
Safari (macOS)
Safari > Settings (or Preferences) > Websites tab > Notifications Untick: Allow websites to ask for permission to send notifications
------------------
Samsung Internet (Android)
Settings > Notifications > Allow or block sites
50% spam
49% scams
1% other
Why is it even possible for hostile code (i.e. JavaScript) to send OS-level notifications? If clicking a link runs untrusted code with layers of legal insulation, that code should run in a very limited sandbox. It's crazy that we're turning the "Open Web" into an ever-expanding attack surface.
Notifications are just another convenient thing that me and you use every day.
Perhaps these things should be disabled by default, or requested upon being needed, but that's not really your argument it would seem.
This kind of automated perfomance tuning is almost always more annoying than useful.
> Notifications are just another convenient thing that me and you use every day.
Who is "me and you"?
But yeah, web browsers basically run arbitrary code written by hostile companies, with layers of indirection to confuse accountability. In that environment, you have to weigh "nice to have" against "could be abused," and err on the side of caution.
You don't call any OS level API from a website. The browser makes and shapes the notification for you. If the notification cannot be traced back to your browser, blame your browser vendor for their bad design.
That said, no amount of good browser design can protect a computer from people who don't know what they're doing. I recall a recent malware campaign where a similar mechanism was used, but instead of "click this button, go to site settings, click notifications, click allow", it'd show "copy this, hit windows+r, hit ctrl+v, then press enter to confirm you're human".
As computers continue to be dumbed down, I don't expect computer literacy to rise to a safe level any time soon. It's a matter of time before executing downloads from the internet becomes impossible.
What’s the purpose of being bounced across several different domains before arriving at the destination? I’ve noticed this behavior when accidentally clicking on sketchy ads, but never stopped to think about it.
I cannot fathom how their IT staff allows things to be that way. One redirect ideally. Two max. Three, and I'm assuming you don't know what you're doing, at all.
Welcome to Microsoft/Live/Bing/Skype/Edge/...
So I need a "SSO login page", which fetches some configuration data, stores it, generates some shared tokens, hands them to the browser, and then redirects the user to an Okta endpoint. Okta, for some reason, doesn't directly serve the login screen at that endpoint, so it captures the tokens I gave the browser, then redirects to its login page. The user logs in on the Okta page, which then redirects the user back to a page that I specified, which (since I don't want to touch the fragile 10,000 line php document that is the application's home page, is a separate page, which gets some information from the browser, makes a request to another Okta endpoint, at which point the user can be authenticated, logged in, and then sent to the home page of the app.
Basically, the most standalone way of handling the problem involves 4 redirects.
Not sure if that's the purpose but it could potentially be used for tracking, monetization, etc
Vpn with ad blocking built in
https://support.mozilla.org/en-US/kb/safari-integration-fire...
The only other extension I’ve started using recently, when the quantity/frequency of YouTube ads on Safari became unbearable, is 1Blocker. It includes a specific filter for blocking YouTube ads, and you can use one active filter for free without subscription.
https://support.1blocker.com/en/articles/9313640-how-to-bloc...
Unfortunately, because real alternative browsers are only supported in the EU (and even then with big asterisks), you won't see a normal browser engine powerful content blocking any time soon. The content filters you can download from the app store help, but they're not as powerful as uBO and friends.
I think the extension support is explicitly disallowed by Apple so shhh don’t tell anyone teehee!
browser gave it a front row seat without asking. feels less like security and more of a prank someone forgot to turn off
There are tons of permissions a site may or may not request, all of them configured and requested in different ways. Sometimes it is a full page overlay, like when you get a certificate error. Sometimes it is a separate popup window, like when you allow using a client certificate. Sometimes it is a whole-width bar below the address bar, like when a page requests becoming your mailto:-scheme-handler. Sometimes it is a smaller popover dangling from the address bar or some icon there, like for camera or location. Sometimes I can allow/deny, sometimes I can allow or just close that tab. Sometimes I can remember the setting, sometimes it is auto-remembered.
As soon as the initial setting has been configured, removing or reconfiguring it happens in totally different and unobvious places again.
And then, If I allowed something and there is e.g. a notification from a website, the browser hides the fact that this is a browser-based notification, there are no embedded "STFU, never show again" buttons or anything.
There also is no simple place to just look at all the permissions some website might have. There also isn't a place for many permissions, where you can get a list of websites that have e.g. camera permissions.
It is all just very opaque, non-obvious, historically grown inconsistent spaghetti.
What needs to happen is a consistent permission request and change flow for everything a website wants to do. Not only with "allow forever/deny forever", but also with "allow/deny once", "allow/deny for session", "allow/deny for timeframe". And with an "allow to ask again after timeframe/never/..." selection. Not with popups or bars, but with a whole-page overlay like HTTPS does. Why whole-page? Because then clickjacking won't work, there is more space to put an explanation and options, and pages need to interrupt flow so this will hopefully be used sparingly.
Dad was one of those late computer adopters who had to be instructed carefully about things pretending to be other things and and nested windows. I remember when pages spawning new windows (then grabbing focus to hide them) was a thing. Then older folks about to go to bed closing their browsers and greeting the hidden windows like a continuation of their browsing experience.
Russia has evolved along with us on the Internet and I'd remind Mr. Krebs paraphrasing Freud, sometimes a Russian oligarch is just a Russian oligarch. It's possible that the Kremlin has hired these companies like everyone else, and a lot of shady people want to penetrate EU DNS defenses.
Fake camping sites with AI content whether its disinformation or deception or hallucination with no human proofreading, is a looming problem. Keep an eye on the prize, preventing old people from getting scammed.
People need more education in general to spot nefarious content, no matter who the state actor is. We don't want a repeat of the Alfa-Bank scam 'October Surprise' either. It relied on the gullibility of the Internet surfing public but DNS administrators should have seen through it and asked more questions.
Every time I read an article though I feel like my eyes go cross eyed. It’s like you said, the words are there they should make sense, but I find my attention wandering.
It’s like they are written by a very very early LLM.
Krebs need to ditch the TDS.
His "Red Herring DNS flaw" garbage was when I realized that 90% of what he spits out is Gell-Mann amnesia.
Put CAPTCHAs on your site: zero traffic.
EU adds those cookie banners to everything: EU should have been disconnected from the internet.
EU required website operators to disclose certain uses of cookies and many of them chose the most obnoxious way possible. Perhaps more agreeable: every website that uses those banners should be disconnected from the internet.
For years I advocated, mostly successfully, to keep pop-ups, pop-unders, pop-ins and other abuse like that out of sites I worked on. Then the EU pulls this magic trick that transforms them into something required, and then "wholesome" so after that the dam breaks and it is common for a blog today to pop up three banners that want your email address, for pop-up ads to cover other pop-up ads, etc.
When your government is unresponsive like that the only choice is exit, no wonder the EU is overrun by populists that want out. If they don't want Frexit and Sprexit and Grexit they'd better think twice when they make another thoughtless law with terrible consequences.
You know EU law only applies in the EU? And blockers exist? I always howl with laughter when some bumhole USA newspaper presents me with a cookie banner that got through. Then i change vpn-server, read what i want, and get on with my tawdry existence.
preinheimer•19h ago
With the range of different ways captchas are presented today I can see it getting a good % of folks.
a2128•18h ago
pixl97•17h ago
Early in the internet days I had ran an open SMTP server for a few years before it was used as a spam relay. The web browser didn't have a security model. Online shopping was going up to a site, writing what you wanted on paper, then mailing off a money order.
Then both fraud and useful things like actual online shopping started happening while the size of the web exploded. Masses of people with no technical capability were getting online. And that's before we got to the age of social media and massive data collection.
Simply put we didn't make the 'web' part of the internet, some people tossed it out as a child and it's been a tooth and nail fight for survival ever since, patching itself up one vuln at a time.
permo-w•1h ago
Mtinie•17h ago
miki123211•11h ago
If you learn once that clicking "deny" in a notification pop-up means your phone doesn't ring when your grandson calls you on Whats App, you won't be clicking "Deny" in those pop ups any more.
I genuinely don't know how to solve that problem, and I definitely see non-technical family members struggle with it.
Sophira•7h ago
So, given that we knew that, why the hell did we create more?
const_cast•2h ago
Auto-deny leads to a lot of unexpected and broken behavior, and most users aren’t going to know where to go to enable that type of stuff.
But auto-enable is even worse: because malicious actors can get permissions they shouldn’t. In fact, even with mainstream applications, most of the permissions they ask for they don’t need to operate - they’re just used for tracking and data exfiltration.
So ask every time has been the solution and it works okay. iOS actually does a good job with this. For suspicious permissions, such as accurate location data all the time, it periodically re-prompts. It’s annoying, but it can catch a lot of suspect behavior. There’s shockingly little apps that need your exact location when the app isn’t open.