Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Why is no one talking about the rampant abuse of the Web Push API?
31 points by throwaway2398 on Oct 9, 2017 | hide | past | favorite | 29 comments
Every news website, and every other random website out there is asking users for permission to send those notifications as soon as the user opens the page. Sometimes, they first have a fake browser-looking dialog, and if the user clicks "Allow", they open the actual browser dialog (possibly to prevent getting disallowed and never getting the chance to ask again, since the choice is remembered).

What can browser developers even do about this, block all requests by default (therefore making it a feature almost no one uses)? Chrome doesn't even have a setting to block all requests.



> Every news website, and every other random website out there is asking users for permission

Maybe we can dial back the hyperbole here. I agree that this (which is the Notification API, not the Web Push API) is being abused, but I can't recall having seen it on any major news web site. I actually see it far more on stuff like tech blogs that are also obsessed with converting me to being a newsletter reader.

But yes, it's infuriating. Safari is probably the worst as it presents a modal popup - at least in Chrome it doesn't take focus. The solution seems very simple: make it only work in response to a click event. Which is something browsers already do for a lot of stuff (like opening a window) and I'm mystified as to why the browser manufacturers didn't factor this in when implementing in the first place.


In Safari you can easily disable it. In fact it’s my preferred browser because of this and the speed.


Oh, And the new blocking features.


A couple of relevant discussions from Chrome devs:

https://bugs.chromium.org/p/chromium/issues/detail?id=740961

https://github.com/WICG/interventions/issues/49


https://developers.google.com/web/fundamentals/push-notifica...

"A PushSubscription contains all the information we need to send a push emssage[sic] to that user. You can "kind of" think of this as an ID for that user's device."

"A push service receives a network request, validates it and delivers a push message to the appropriate browser. If the browser is offline, the message is queued until the the browser comes online."

"Each browser can use any push service they want, it's something developers have no control over. This isn't a problem because every push service expects the same API call. Meaning you don't have to care who the push service is. You just need to make sure that your API call is valid."

"The data you send with a push message must be encrypted. The reason for this is that it prevents push services, who could be anyone, from being able to view the data sent with the push message. This is important given that it's the browser [not the user] who decides which push service to use, which could open the door to browsers using a push service that isn't safe or secure."

"When you trigger a push message, the push service will receive the API call and queue the message. This message will remain queued until the user's device comes online and the push service can deliver the messages. The instructions you can give to the push service define how the push message is queued."

"When the push service does deliver a message, the browser will receive the message, decrypt any data and dispatch a push event in your service worker. A service worker is a "special" JavaScript file. The browser can execute this JavaScript without your page being open. It can even execute this JavaScript when the browser is closed. A service worker also has API's, like push, that aren't available in the web page (i.e. API's that aren't available out of a service worker script)."

Hard to imagine how anyone could forsee that such a "feature" could be abused.


Yes, this is the most annoying thing after the modal popups. Unfortunately, there are now sites[1] peddling this plague on the internet in the name of better ROI.

Once the abuse become big enough (like the exit popups, flash ads, etc), I hope this too will get blocked by default.

[1] https://pushcrew.com/features/


> What can browser developers even do about this, block all requests by default (therefore making it a feature almost no one uses)? Chrome doesn't even have a setting to block all requests.

Missing the point. This is actually a useful feature, and is part of the big service workers push. The fact that some sites are using it poorly (to say the least), is on the sites themselves. As it has already been pointed out, you _can_ disable them on a per-site basis, and at least on Safari, the same site won't ask again if you said no once (Preferences > Websites > Notifications).


> This is actually a useful feature

I don't get how this feature is at all useful. I find that any feature that can be abused, will be. And this is certainly no different.


You can't conceive of any possible scenario where it might be useful to get a notification? Not even for Gmail, Slack, a timer etc?


You have global opt out with browser settings, you can use never ask again on a per site basis and you can avoid returning to the annoying sites.

You can also disable JS entirely.


Disabling JS makes the web fantastic.


OMG. So Annoying! Please don't send me any damn notifications. If you just had a button at the top of the site that allowed selection to add to websites that are allowed to push notifications that would be a bit better.

I hate trying to use a site and it isnt working for some reason just to find out it is prompting me for some damn notifications!


Chrome just needs to change the UI for this feature. It should mimic the way a blocked pop-up is displayed - just a small icon in the right side of the address bar. That makes it easy to ignore but you can still find it for instances where you actually want to allow it (e.g. Google Calendar nofitications)


This feature is a blight upon the web. To disable in Firefox:

https://superuser.com/a/1156927


I see these prompts all the time, I've accepted a few but can't ever think of a time when I actually received a notification.


If you want to vent and receive comments about the abuse of the API, you should write a blog post about it and submit that instead of a pretend-ask HN.


A three sentence blog post? Seems like a waste of effort and page traversals.


I didn't say 'paste your made-up indignation question into a blog post verbatim'. Just 'don't abuse Ask HN for thinly disguised commentary'.


Self-posts are gray for a reason, I don't see it as an abuse.


It's not a self-post, it's commentary masquerading as a question. It's a 'DAE' post which are frowned upon even in most of reddit.


Except in this case it sparked an interesting discussion, and definitely doesn't necessarily warrant a blog post to 'qualify' for HN.


I think it's not being talked about on HN because a great many HN users are probably the ones developing these systems.


I doubt that, I haven't seen hn avoid topics that the users may be coding before.

I think it's more that, at the moment, most people only relate it to low quality sites.

Once it begins to catch on, on more mainstream sites, then it will become more of a topic.


Agreed, they all want your attention, sacrifice eyeballs to the god of SEO.


Is it a Chrome-only feature? I still haven't seen any such dialog.


Nope, it's in Firefox too at least.


Seen it on Safari as well.


Tons of tech websites (ab)use this. Even the NYTimes.


all major browsers have a setting to block all requests, I wish the same thing existed to block requests to sign up for newsletters




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: