
W3C give up on preventing PWAs from tracking users - indentit
https://www.theregister.com/2020/07/31/w3c_progressive_web_app_privacy/
======
corty
A PWA has lots and lots of issues regarding trackability. start_url is just a
very minor part of that. An application that is actually a weird website will
be able to track you, there will be Javascript with tons and tons of attack
surface for this.

If you don't want tracking, use proper local applications and deny them
network access.

------
dccoolgai
This smells like a story Apple shopped out to keep defending their 30 percent
racketeering operation. PWAs are better than native apps for privacy and
security in almost every single way.

------
krimeo
There are so many more ways to track you, not sure why the fuss about PWAs
which almost noone is using.

For example you can just use WebGL for fingerprinting the browser.

------
lloydatkinson
Once again proving W3C is absolutely useless.

------
butz
A great opportunity for Firefox to implement PWAs with privacy protection and
use it as main selling point.

~~~
corty
The only winning move is not to play. The only privacy-preserving PWA doesn't
have network access. Which excludes the 'W' part...

~~~
searchableguy
Just disconnect your phone from the internet.

Native apps aren't much better. The real solution is to use FOSS apps that you
can check yourself and trust regardless of pwa or native.

Your browser and device already had APIs to track you long before PWA standard
and they still do.

[https://arstechnica.com/gadgets/2020/06/tiktok-
and-53-other-...](https://arstechnica.com/gadgets/2020/06/tiktok-and-53-other-
ios-apps-still-snoop-your-sensitive-clipboard-data/)

[https://www.theverge.com/2020/7/25/21338151/instagram-bug-
ca...](https://www.theverge.com/2020/7/25/21338151/instagram-bug-camera-
privacy-ios14-apple)

[https://github.com/facebook/facebook-ios-
sdk/issues/1374](https://github.com/facebook/facebook-ios-sdk/issues/1374)

[https://github.com/facebook/facebook-ios-
sdk/issues/1427](https://github.com/facebook/facebook-ios-sdk/issues/1427)

------
SahAssar
Why can't they refetch the manifest.json when cookies are cleared? That would
give it a new ID.

~~~
Crosseye_Jack
Then you are just pushing where the uuid is stored up stream another step.

In order to refetch the manifest you will have to remember it’s location. Just
use /<uuid>/manifest.json as the manifest location and have the server inject
that into manifest file when fetched.

