W3C give up on preventing PWAs from tracking users

[corty]

A PWA has lots and lots of issues regarding trackability. start_url is just a very minor part of that. An application that is actually a weird website will be able to track you, there will be Javascript with tons and tons of attack surface for this.

If you don't want tracking, use proper local applications and deny them network access.

[dccoolgai]

This smells like a story Apple shopped out to keep defending their 30 percent racketeering operation. PWAs are better than native apps for privacy and security in almost every single way.

[krimeo]

There are so many more ways to track you, not sure why the fuss about PWAs which almost noone is using.

For example you can just use WebGL for fingerprinting the browser.

[lloydatkinson]

Once again proving W3C is absolutely useless.

[butz]

A great opportunity for Firefox to implement PWAs with privacy protection and use it as main selling point.

[corty]

The only winning move is not to play. The only privacy-preserving PWA doesn't have network access. Which excludes the 'W' part...

[hawkoy]

Just disconnect your phone from the internet.

Native apps aren't much better. The real solution is to use FOSS apps that you can check yourself and trust regardless of pwa or native.

Your browser and device already had APIs to track you long before PWA standard and they still do.

https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-...

https://www.theverge.com/2020/7/25/21338151/instagram-bug-ca...

https://github.com/facebook/facebook-ios-sdk/issues/1374

https://github.com/facebook/facebook-ios-sdk/issues/1427

[SahAssar]

Why can't they refetch the manifest.json when cookies are cleared? That would give it a new ID.

[Crosseye_Jack]

Then you are just pushing where the uuid is stored up stream another step.

In order to refetch the manifest you will have to remember it’s location. Just use /<uuid>/manifest.json as the manifest location and have the server inject that into manifest file when fetched.