Hacker News new | past | comments | ask | show | jobs | submit login

I would be OK with 7 days being the default with a permission model where I can grant a website longer storage time.

Actually, I'd be even happier if any form of offline storage required explicit user permission anyway.

There's certainly a balance to achieve there. Too few permissions prompt and you lose control, and too many and you get desensitized or even worse annoyed at them.

There's no balance. You just let the user set any permission and make the prompts unobtrusive.

There is no such thing as an "unobtrusive" prompt.

Some browsers show an icon in the address bar when an app is requesting/can make use of an optional permission or feature. Clicking the icon allows you do grant the extra permission (i.e. allow cookies, enable, camera, etc.) but otherwise no additional prompt is shown.

I think this is an excellent example of such an unobtrusive prompt and is how ALL such features should be implemented. Sites should get almost no permissions by default and certainly not be able to show popup prompts.

That is not a prompt at all, just a fancy configuration option. Which most users will never notice and just assume the app is broken.

When the site tells them to "active X permission" without telling them how to (for their specific browser version), most will leave instead.

When the site gives super detailed, up-to-date instructions on how to activate the feature, a very large percentage of users will still leave instead.

When the feature is so useful that many sites go through all thouse troubles and it's common enough for users to encounter this that they'll follow through, most will do so for every site that tells them to and entices them with "ACTIVATE X TO RECEIVE YOUR $10,000 PRIZE, LUCKY WINNER!!!".

Actually there is - firefox does it all the time. It's simple really - just add a new obscure configuration parameter and tada - the browser starts ignoring your dns resolution setting and automatically uses a preconfigured one. No need for a prompt, obtrusive or otherwise.

network.trr.mode I'm looking at you.

I configured my Chrome to block sounds on all websites except for a few selected ones. Now if blocked website plays sound, I can see tiny icon in right of my URL bad. It's absolutely unobtrusive, yet I can enable sound with two clicks.

Even before this change, data in IndexedDB was kind of volatile - if a device was low on space, browsers could delete stored data.

https://dexie.org/docs/StorageManager describes the StorageManager API which lets you prompt the user to allow your IndexedDB data to be stored more reliably. My first thought after reading this article was wondering if this would allow an exception to the 7 day rule... but then I remembered that Safari is the only "modern" browser which does not support the StorageManager API

lol, sucks for users of my client side JS video game!

> Actually, I'd be even happier if any form of offline storage required explicit user permission anyway.

Even offline storage that is only used locally? Say a game with savegames that has doesn't use online connection to play it.

Another example: a password manager.

I would say yes. The reason being is that exceptions will be abused, so it is better to enforce rules that everyone has to follow than to depend upon good behavior which the people we are trying to stop won't (almost by definition, because we wouldn't be needing to try to stop them with rules if they were already respectful of the social contract).

If there were a way to enforce that the application has no access to any communication system (network, inter-app, maybe excluding explicit copy/paste), then I would be happy to give it permanent storage.

But as soon as you allow it any access to network resources then carrying state becomes a liability.

Both network usage (in native apps) and storage (both for native and web apps) should prompt for permission IMO.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact