
Ask HN: Why is no one talking about the rampant abuse of the Web Push API? - throwaway2398
Every news website, and every other random website out there is asking users for permission to send those notifications as soon as the user opens the page. Sometimes, they first have a fake browser-looking dialog, and if the user clicks &quot;Allow&quot;, they open the actual browser dialog (possibly to prevent getting disallowed and never getting the chance to ask again, since the choice is remembered).<p>What can browser developers even do about this, block all requests by default (therefore making it a feature almost no one uses)? Chrome doesn&#x27;t even have a setting to block all requests.
======
untog
> Every news website, and every other random website out there is asking users
> for permission

Maybe we can dial back the hyperbole here. I agree that this (which is the
Notification API, not the Web Push API) is being abused, but I can't recall
having seen it on any major news web site. I actually see it far more on stuff
like tech blogs that are also obsessed with converting me to being a
newsletter reader.

But yes, it's infuriating. Safari is probably the worst as it presents a modal
popup - at least in Chrome it doesn't take focus. The solution seems very
simple: make it only work in response to a click event. Which is something
browsers already do for a lot of stuff (like opening a window) and I'm
mystified as to why the browser manufacturers didn't factor this in when
implementing in the first place.

~~~
sogen
In Safari you can easily disable it. In fact it’s my preferred browser because
of this and the speed.

~~~
sogen
Oh, And the new blocking features.

------
r721
A couple of relevant discussions from Chrome devs:

[https://bugs.chromium.org/p/chromium/issues/detail?id=740961](https://bugs.chromium.org/p/chromium/issues/detail?id=740961)

[https://github.com/WICG/interventions/issues/49](https://github.com/WICG/interventions/issues/49)

------
feelin_googley
[https://developers.google.com/web/fundamentals/push-
notifica...](https://developers.google.com/web/fundamentals/push-
notifications/)

"A PushSubscription contains all the information we need to send a push
emssage[sic] to that user. You can "kind of" think of this as _an ID for that
user 's device_."

"A push service receives a network request, validates it and delivers a push
message to the appropriate browser. _If the browser is offline, the message is
queued until the the browser comes online._ "

"Each browser _can use any push service they want_ , it's something developers
have no control over. This isn't a problem because every push service expects
the same API call. Meaning you don't have to care who the push service is. You
just need to make sure that your API call is valid."

"The data you send with a push message must be encrypted. The reason for this
is that it prevents push services, _who could be anyone_ , from being able to
view the data sent with the push message. This is important given that it's
the _browser_ [not the user] who decides which push service to use, which
could open the door to browsers using a push service that isn't safe or
secure."

"When you trigger a push message, the push service will receive the API call
and queue the message. This message _will remain queued until the user 's
device comes online_ and the push service can deliver the messages. The
instructions you can give to the push service define how the push message is
queued."

"When the push service does deliver a message, the browser will receive the
message, decrypt any data and dispatch a push event in your service worker. A
service worker is a "special" JavaScript file. _The browser can execute this
JavaScript without your page being open. It can even execute this JavaScript
when the browser is closed._ A service worker also has API's, like push, that
aren't available in the web page (i.e. API's that aren't available out of a
service worker script)."

Hard to imagine how anyone could forsee that such a "feature" could be abused.

------
superasn
Yes, this is the most annoying thing after the modal popups. Unfortunately,
there are now sites[1] peddling this plague on the internet in the name of
better ROI.

Once the abuse become big enough (like the exit popups, flash ads, etc), I
hope this too will get blocked by default.

[1] [https://pushcrew.com/features/](https://pushcrew.com/features/)

------
vcanales
> What can browser developers even do about this, block all requests by
> default (therefore making it a feature almost no one uses)? Chrome doesn't
> even have a setting to block all requests.

Missing the point. This is actually a useful feature, and is part of the big
service workers push. The fact that some sites are using it poorly (to say the
least), is on the sites themselves. As it has already been pointed out, you
_can_ disable them on a per-site basis, and at least on Safari, the same site
won't ask again if you said no once (Preferences > Websites > Notifications).

~~~
chii
> This is actually a useful feature

I don't get how this feature is at all useful. I find that any feature that
can be abused, will be. And this is certainly no different.

~~~
whostolemyhat
You can't conceive of any possible scenario where it might be useful to get a
notification? Not even for Gmail, Slack, a timer etc?

------
GroSacASacs
You have global opt out with browser settings, you can use never ask again on
a per site basis and you can avoid returning to the annoying sites.

You can also disable JS entirely.

~~~
na85
Disabling JS makes the web fantastic.

------
KiDD
OMG. So Annoying! Please don't send me any damn notifications. If you just had
a button at the top of the site that allowed selection to add to websites that
are allowed to push notifications that would be a bit better.

I hate trying to use a site and it isnt working for some reason just to find
out it is prompting me for some damn notifications!

------
6nf
Chrome just needs to change the UI for this feature. It should mimic the way a
blocked pop-up is displayed - just a small icon in the right side of the
address bar. That makes it easy to ignore but you can still find it for
instances where you actually want to allow it (e.g. Google Calendar
nofitications)

------
bartvk
This feature is a blight upon the web. To disable in Firefox:

[https://superuser.com/a/1156927](https://superuser.com/a/1156927)

------
siquick
I see these prompts all the time, I've accepted a few but can't ever think of
a time when I actually received a notification.

------
pvg
If you want to vent and receive comments about the abuse of the API, you
should write a blog post about it and submit that instead of a pretend-ask HN.

~~~
Dylan16807
A three sentence blog post? Seems like a waste of effort and page traversals.

~~~
pvg
I didn't say 'paste your made-up indignation question into a blog post
verbatim'. Just 'don't abuse Ask HN for thinly disguised commentary'.

~~~
Dylan16807
Self-posts are gray for a reason, I don't see it as an abuse.

~~~
pvg
It's not a self-post, it's commentary masquerading as a question. It's a 'DAE'
post which are frowned upon even in most of reddit.

~~~
mercer
Except in this case it sparked an interesting discussion, and definitely
doesn't necessarily warrant a blog post to 'qualify' for HN.

------
na85
I think it's not being talked about on HN because a great many HN users are
probably the ones developing these systems.

~~~
marak830
I doubt that, I haven't seen hn avoid topics that the users may be coding
before.

I think it's more that, at the moment, most people only relate it to low
quality sites.

Once it begins to catch on, on more mainstream sites, then it will become more
of a topic.

------
sogen
Agreed, they all want your attention, sacrifice eyeballs to the god of SEO.

------
marcosdumay
Is it a Chrome-only feature? I still haven't seen any such dialog.

~~~
mort96
Nope, it's in Firefox too at least.

~~~
vcanales
Seen it on Safari as well.

------
omosubi
all major browsers have a setting to block all requests, I wish the same thing
existed to block requests to sign up for newsletters

