undefined | Better HN

0 pointswlesieutre10y ago0 comments

Yeah, this reminds me of the recent(ish) realization that a javascript could check a link's applied style to determine if it had :visitied, letting advertisers trivially run test a very large list of links to fingerprint and profile anybody who visits a webpage.

Mozilla patched that information leak. I don't remember anyone accusing them of "contempt for web developers."

I'm no longer using iOS regularly, but the fact that Apple can and does police apps that violate a user's expectation of privacy is one of the strong points of the platform.

0 comments

ploxiln10y ago

Mozilla didn't start white-listing web sites which it determined didn't snoop on the :visited property, and black list all other sites. Instead, it fixed the API.

wlesieutreOP10y ago

Right, they did it by blocking javascript access to computed CSS styles so that it doesn't return :visited rules.

In Apple's case, the more secure options would either be "an app must include a perapproved list of which other apps are authorized to see that it is installed", or popups for permissions like "Image Editor wants to know if you have Dropbox."

Since Apple has both the authority and the manpower to approve or disapprove of apps, they chose to not take either and to stick with the version that gives the best user experience, while also allowing devs to continue checking installed apps when they need to as appropriate for cross-app interaction.

I guess it sucks from iHasApp's perspective, but I don't have any more sympathy for them than any other spyware developer. Just because Win32 apps aren't sandboxed and can read arbitrary data out of my home folder doesn't mean it's an OK thing to do.

ckluis10y ago

To be fair I think there is an easy workaround on blocking the javascript from reading computed CSS styles. I wrote a potential hack around that here: http://ckluis.com/black-hat-badassery/

j / k navigate · click thread line to collapse