1. 2

    If anyone wants to see the change log, I found it with a bit of digging:

    https://bugs.netsurf-browser.org/mantis/changelog_page.php

    1.  

      This isn’t a changelog, but a list of closed bugs.

      For a changelog, see this, found by sams above.

    1. 3

      all I want is to be able to search $ & &= >>= <=> etc and get some answers. I realized that’s a big tokenization issue, but overloaded special characters are ruining searchability in a lot of languages.

      1. 1

        i think one of the issues is resource cost, which is much greater than that of simple keyword lookup in a tree

      1. 2

        Consider allowing searching via POST, so that the search string is not sent to sites via referrer URL.

        1. 3

          I disagree in this instance, only because a linkable result set is extremely helpful. These days we have the Referrer-Policy header to better control what is leaked.

          1. 2

            i think the request is to allow it, not making default. you can receive GET and POST at the same address.

          2. 2

            Is there a downside of using rel=noreferrer instead? https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer

            Some pages that uses POST over GET make it very annoying to go backwards, prompting for a ‘do you want to submit the form again’ kind of alert.

            1. 2

              i think gp was talking about allowing it as an option, not making it default?

          1. 14

            I flagged this as ‘off-topic’ because I believe that low-effort wikipedia postings like this (without any context) that are wildly popular on the orange site don’t belong here.

            1. 4

              I upvoted this because I appreciate being introduced to new concept. I don’t think a link to wikipedia is necessarily low-effort, and it’s a more lasting URL than most other sites.

              I also upvoted your comment because I have seen enough of what you describe.

              1. 4

                Wikipedia can be more permanent, but an article like this that’s flagged for lack of notability is in risk of being removed.

                As @11backslashes notes, linking to the project’s home page is more appropriate.

              2. 2

                I concur, agree, and flagged as well.

              1. 16

                Please correct me if I’m wrong, but AFAIK you don’t need to ask for cookie consent for core site functionality, such as remembering user settings.

                The “cookie law” isn’t about using cookies per se, but about using cookies (or any other identifier) for tracking people.

                1. 7

                  That’s true. You’re not required to get cookie consent for the necessary functionality such as session cookies that for instance hold the items in the shopping cart etc.

                  1. 4

                    remembering user settings.

                    Presumably, it depends whether your user settings cookie contains data like “dark mode on” or whether it contains a user id which allows you to load the user’s settings from your database. While they both achieve the same functionality, the latter case tracks the user, while the former does not. I don’t know whether you could try to justify the latter as “necessary”, given that the former is possible.

                    1. 4

                      From my reading here https://gdpr.eu/cookies/ it says:

                      “Receive users’ consent before you use any cookies except strictly necessary cookies.

                      Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies.

                      Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.”

                      So you would have to ask for consent for “preferences” but you don’t need to ask for those as soon as someone enters a site like you need to ask for marketing/tracking cookies. You can for instance have a “remember me” box and let users check it in case they want to save settings such as dark mode or they try to login.

                      1. 3

                        If you keep the dark mode setting client-side, you can just store it in local storage and never send it to the server. You don’t need opt-in for that.

                        1. 4

                          GDPR is technology-agnostic. Don’t assume that if you use some other mechanism that you’re in the clear. Local storage can still hold persistent identifiers that your website can access.

                          1. 3

                            I agree, but I said “never send it to the server”. I don’t think anything done purely client-side is subject to consent in GDPR.

                            1. 1

                              I wouldn’t bet on a technicality convincing any lawyers.

                              • If you embed third-party scripts on your page, you’re sharing localStorage with them, and you have the responsibility to ensure they won’t grab it. XSS on your site may need to be treated the same way as server-side data breaches, because it only matters what data leaked, not how.

                              • If you make use of the data, you’re still processing it. Even if you don’t send the data as-is to the server, it may still have privacy implications, e.g. if you choose which ads user gets served based on localStorage data.

                              1. 1

                                Both of those points are interesting, but I wonder about the implications on native, desktop applications then…

                                I’ve never had a video game ask me for consent to autosave, for instance.

                                1. 1

                                  Games come with heavy EULAs, especially if any account or on-line component is involved (e.g. DRM and anti-cheat rootkits have access to lots of private information, so they must have made you “agree” to this).

                          2. 2

                            That only works if the user runs your JS

                            1. 2

                              Yes. It doesn’t really matter if the dark mode setting isn’t saved (or even cannot be used) for users who disable JS…

                              1. 3

                                you’re right. and it also doesn’t matter if that wheelchair ramp actually works.

                                1. 1

                                  I don’t know an accessibility issue that would be solved by a native dark mode and where the user cannot interpret JavaScript…

                                  Honestly, accessibility matters, but this really sounds like a straw man argument.

                                  1. 2

                                    Correct me if I’m wrong, but what I interpret your comment to say is:

                                    I don’t think it is important for users without JS to be able to save their site preferences.

                                    1. 1

                                      Yes, but today disabling JS is a choice so it’s not really fair to compare it to disability.

                                      How many users can still afford to disable JS entirely anyway, in a time when so many popular websites are single page applications?

                                      It’s 2020, and CLI browsers, screen readers, crawlers… can all run JS. (And they don’t care about a dark mode anyway.)

                                      For what it’s worth I’ve always thought that styling was a client-side issue. 20 years ago we had alternate stylesheets, and Mozilla never fixed this issue so people already replied on cookies + client-side JS to solve that. The only difference in using localStorage is that the information is never sent to the server, where it isn’t used anyway.

                                      1. 2

                                        Yes, but today disabling JS is a choice so it’s not really fair to compare it to disability.

                                        Go get yourself an Obamaphone, or a $25 phone from Best Buy, and use it as your primary device for a week. Then come back here and say that again.

                                        How many users can still afford to disable JS entirely anyway, in a time when so many popular websites are single page applications?

                                        That’s what I’m saying here. You could be a “popular website” which makes itself inaccessible, or you could go the extra mile and build that ramp.

                                        JS can also break due to incomplete transfers, broken cached JS files, errors in the JS itself, unfinished loading due to slow connections. Do you really want to eliminate all these users, when they may depending on your service the most?

                            2. 2

                              I think it’s okay to send the individual preferences to the server, but not an ID to look up preferences server-side, because that is something you can individually track the user with.

                              For example, if both me and catwell prefer the dark site with language Swahili, you can’t distinguish us if these settings are set directly in the cookies; same settings, same cookies. But if you store them in a database with user ID, suddenly I’m user 42 and catwell is user 1337, and you can distinguish between us.

                              1. 1

                                I think it’s okay to send the individual preferences to the server, but not an ID to look up preferences server-side, because that is something you can individually track the user with.

                                Is there really a difference?

                                1. 1

                                  Is there really a difference?

                                  Yes. Definitely. darkmode=1 vs darkmode=0 has one bit of entropy, so you can’t track me with it. SID=94898743637843438653262 is many bytes of entropy, and I don’t know what you use it for. Is that identifier only matched to a darkmode setting or is it a giant GDPR violation server side?

                          3. 2

                            or just use css media queries and let the person configure it on their browser instead of having to figure out where every website’s special toggle mode button it.

                            @media (prefers-color-scheme: dark) and @media (prefers-color-scheme: light)

                          1. 4

                            If you force “smooth scrolling” on your users you’re a monster

                            1. 1

                              On one hand, I kind of agree.

                              On the other hand, it seems like for a good proportion of users, smooth-scrolling, at least from the “back to top” button, is less confusing?

                            1. 2

                              I just use <a href="#">Top</a> on my website, always have. https://hultner.se/

                              Is there any reason to use a defined id/name instead?

                              1. 1

                                I don’t recall for sure which browsers support which, but I remember for sure that the <a name=foo> [...] <a href="#foo">foo</a> is by far the most compatible way of doing it, while other methods do not work across all browsers.

                                1. 1

                                  Would be interesting to know which browser doesn’t support the standard #-method. Don’t think I’ve ever noticed it not work in any substantial browsers.

                              1. 36

                                Or simpler without the need for additional <a>:

                                <h1 id="pageTitle">Title</h1>
                                
                                ...
                                ...
                                
                                <a href="#pageTitle">Back to top</a>.
                                
                                1. 26

                                  I don’t even understand why there was article written for this…It’s so obvious to anyone with any basic HTML understanding.

                                  1. 19

                                    That’s the thing - many website owners, especially those who use WordPress, don’t know basic HTML. So they may be inclined to install a plugin instead of putting a couple of simple lines of HTML into their theme.

                                    Plugins aren’t inherently bad, but they add unnecessary bloat. Especially for something as simple as this.

                                    1. 4

                                      unnecessary bloat

                                      … then maybe don’t use WordPress. ;)

                                      /s

                                    2. 8

                                      because if there is no article about it, this “obvious” knowledge becomes lost, overcomplicated solutions float to the top of search results, and everyone starts doing it the stupid way.

                                      1. 8

                                        As someone who recently had to start doing frontend work at my job, I just want to say this is non-obvious to me and I appreciate the article and comments.

                                      2. 8

                                        Apoarently “#top” or just “#” not only works (I remember #top from… The early days. Netscape 4.x?) - but it’s in the standard:

                                        “Note: You can use href=”#top” or the empty fragment (href=”#”) to link to the top of the current page, as defined in the HTML specification.”

                                        https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a

                                        Where the spec is… I’d say more than a little obtuse: https://html.spec.whatwg.org/multipage/browsing-the-web.html#scroll-to-the-fragment-identifier

                                        Ed2: not sure why the author felt a need to define a html4 style named anchor for #top..

                                        Ed: Also TIL: in HTML5 linking directly to an ID is preferred over an explicit named anchor.

                                        1. 4

                                          According to whatwg and MDN this is the preferred method

                                          1. 3

                                            Problem with that is it would take you to the title of the page, which isn’t necessarily the top of the page.

                                            1. 7

                                              The id attribute can be given to any element so it could be done with a <header> or <article> element if that suits the page better. The name attribute on anchor elements is now considered obsolete.

                                          1. 2

                                            I’m learning about git branching, something I’ve avoided for years. I’m 3000+ commits into my project, and the whole time, aside from experiments and accidents, my whole process has been just add, commit, push.

                                            Firming up my first stable branch and thinking about what to put into a “0.1” release.

                                            Fixing a couple of JS issues in Netscape 3.x, which have cropped up.

                                            1. 2

                                              “3000 commits and did not branch even once”. All I can say is: wow. I assume you were a team of one on that project.

                                              1. 1

                                                Indeed, that has been the case :)

                                            1. 2
                                              • Demonstrate a basic HTTP server made with h11
                                              • Do more workouts
                                              • Read “The Communist Movement” (1972), by Jean Barrot (french archive for those interrested here)

                                              Previous What are you doing this weekend.

                                              1. 1

                                                Does your definition of “basic HTTP server” include access.log?

                                                1. 1

                                                  Unfortunately no.

                                                  By a basic HTTP server I just mean something like an echo server. The objective is not to build an actual HTTP server but only to validate the API of h11 and the overall design.

                                              1. 1

                                                It’s sort of become, a browser lifecycle…

                                                The first instance that I know of is with Mosaic, because I have seen “best viewed with Mosaic” buttons in the archives somewhere, and Mosaic was one of the first, if not the first browser to support images, iirc.

                                                Then came Netscape, which supported frames and Java, and many people over a certain age have certainly seen the Netscape buttons. Before Netscape was dominated out of the market by IE, which, must be noted, really was technologically superior by many counts, Netscape (code name Mozilla) itself drove Mosaic out of the market, although Mosaic made it to at least 3.0, and was a fairly capable browser by then, supporting forms, images, and a tree-history feature later seen in Firefox addons such as TreeTabs.

                                                The beauty of the Web-based system is that all of these browsers, going back to Mosaic 1.0 and Lynx and www all speak the same basic subset of HTML, and you can still, today, build a website which works in all of them.

                                                1. 1

                                                  After I become disillusioned with Debian, about 3-5 years ago, I tried a few different distros, large and small, and settled on Fedora LXDE. Back then, I was still transitioning from Mac, which means I was using Mac OS for things like watching videos and playing music, while all my development happened in a Debian, and then Fedora, VM in VirtualBox. This was a great system, because my dev environment was segregated completely from my desktop. It also meant that I could take regular snapshots of my dev “machine”, so if I screwed something up, I could go back to 10 days ago, or whenever I happened to make a snapshot, git pull from my github repo, and continue working. I could have set up some kind of automated snapshotting, but I just never bothered. The painful part of this is that I had to shut down to take a snapshot (to avoid making a copy of ram unnecessarily) and also that when I had to delete an older snapshot to save space, it would sometimes take 5-15 minutes. No biggie.

                                                  Recently, I upgraded to a bottom-of-the-line 5-year-old ThinkPad, and installed Fedora LXDE natively, after trying out Windows 10 for a week or two. I’ve read that it might be going unmaintained, which is sad for me, but I’ll ride this horse until it falls off the cliff.

                                                  I picked it because it seemed to just work. There’s a lack of polish in some areas, but there’s also a lack of extra shit that I don’t want, like animations, 3D effects, etc. I want my UI to look and work like Windows 95, which it misses the mark on, but is the closest I’ve found. I want the OS to not give me problems, and I want to be able to install most software I need through the package system, which this setup also satisfies. It would be nice to have hardware volume buttons and to be able to adjust brightness, but I don’t care about it enough to look for the solution. Fedora did not support the built-in wireless networking adapter out of the box, and I didn’t bother setting it up. I just used Ethernet whenever it was available, which is at most people’s networked homes, a few libraries, etc. Between, I saved up my commits, and used my other device for Internet access. Eventually, when I volunteered at FSF, I was gifted a ThinkPenguin.com USB adapter, which worked as soon as I plugged it in. I am very happy with this setup, because I can unplug my wireless network just like I can unplug ethernet. It picks up about 90% of the networks my mobile device does, some it just won’t show.

                                                    1. 4

                                                      Quick link: https://en.wikipedia.org/wiki/Smoke_testing_%28software%29

                                                      Basically, if you try to run something and “smoke” comes out, you probably need to dig deeper. Superficial tests that everything looks good.

                                                      1. 2

                                                        It’s basic, cursory testing, to ensure that nothing is badly broken, but not diving into smaller details.

                                                        https://en.m.wikipedia.org/wiki/Smoke_testing_(software)

                                                      1. 4

                                                        That’s cool - I’m really impressed by the wide range of browsers you’re testing, especially older ones! What OS are you running for this?

                                                        1. 1

                                                          Thank you, I appreciate that. I’m running current Fedora. All the browsers run effortlessly under Wine, so my credit on that is only hunting down the installers and executables. (Ironically, Windows can’t touch this level of backwards compatibility anymore, something I used to live Windows for.)

                                                        1. 1

                                                          I usually do not have a two-story taskbar, nor use 800x600. Just for this video.

                                                          1. 37

                                                            It sucks for offline apps, but there is a sad rational explanation: in reality there are very few real offline webapps that rely on it, and lots and lots of trackers that abuse it.

                                                            Any bit of persistent state will be abused for tracking, so sadly everything has to be blocked for as long as surveillance-based adtech thrives.

                                                            1. 5

                                                              Then we should block native apps that can communicate over the network from saving files to disk. ;)

                                                              1. 15

                                                                I get your point, but I think there’s a difference in user expectations between an app and a website. If I just visit a site to read one or two pages, that feels like it should be anonymous, whereas an app I use to do stuff feels more stateful.

                                                                1. 6

                                                                  If browsers can require explicit permissions for accessing the webcam etc., why can’t they do the same for local storage? I think they can and should, and it would be way better than wiping the local storage after $num days.

                                                                  1. 7

                                                                    It will be another popup where 99% of the userbase shrugs and goes “yeah, I guess”.

                                                                    1. 3

                                                                      How do you know that’s what people do? :) I have no pity for people who choose the wrong option. But I must pity those who aren’t even given the option.

                                                                      1. 1

                                                                        I mean you do have the option of just not using Apple products. Seems like the best option imo.

                                                                        1. 2

                                                                          Apparently Chrome is going down this route too on 2022.

                                                                          1. 1

                                                                            It boggles my mind how in-step Apple and Google are. One is always following the other when it comes to eroding our options and privacy online. Really makes me feel like a sucker for actually believing that a company the size of Apple could “care” about privacy any more than Google could. I guess we imagine the world as we’d like it to be…

                                                                    2. 1

                                                                      If browsers can require explicit permissions for accessing the webcam etc., why can’t they do the same for local storage? I think they can and should, and it would be way better than wiping the local storage after $num days.

                                                                      There’s a Firefox plugin that does something similar, but with a much better UI (ask forgiveness, not permission). The Self Destructing Cookies plugin moves any per-site storage to a separate location as soon as you navigate away. If you go back to a site and realise that functionality that you care about is broken then you can restore the state, but otherwise you just leave it and it’s eventually deleted in the background. I’d love to see that UI adopted more widely for cookies and local storage. 99% of the time, I’m happy for things to silently become session cookies. Having that as the default, with a working undo for when it isn’t, is a lot more user-friendly than asking people to allow or deny (which is the right UI for the microphone and camera, where you are likely to know if the site really needs these).

                                                                  2. 9

                                                                    Native apps are definitely full of trackers. They’re probably even worse than websites due to elevated privileges, easily obfuscated SDKs, and no origin separation.

                                                                    But the difference is in user expectations. Users freely jump from site to site, and can be visiting hundreds of sites. Many users hardly install any native apps.

                                                                    1. 7

                                                                      One interesting difference is that I firewall all my native apps’ outbound connections. So I’m acutely aware every time one of them phones home to report my activity to their overlords, or it’s simply blocked.

                                                                      I have to let my browser talk to arbitrary hosts on the internet for it to do its job. It doesn’t currently let me specify that an offline web site shouldn’t be able to do that.

                                                                      My outgoing connection firewall thus amounts to a more effective form of origin separation than I get from a browser.

                                                                      1. 6

                                                                        They’re probably even worse than websites due to elevated privileges, easily obfuscated SDKs, and no origin separation.

                                                                        I think the most prominent privacy issue is services tracking you across the web, which ads network do. Native apps [should] live in their own little world. Unless they abuse privileged access, which in most legit case they don’t. I consider Facebook and Google tracking my browsing habits much worse privacy-wise than Apple tracking which news I look at in the Apple News app.

                                                                        Native app are also getting better at letting users control access and I don’t get any surprise about random apps reading my contact list. I can easily review which app has access to what. This is in no way obfuscated, at least on OSX/iOS.

                                                                        1. 4

                                                                          I hadn’t realized how bad the trackers were until I sent my iPhone’s/iPad’s traffic to my Pi-hole. It’s incredible how bad it has become.

                                                                        2. 6

                                                                          The difference is that downloading a native app has a very different experience than just visiting a website. You know you’re downloading a thing that will store data on your device.

                                                                          Ideally, the technical differences in implementation would be divorced from the UI differences, so that you could write an offline web app, make it jump through an equivalent set of hoops to authorize the use of local storage, and then it has privileges equivalent to native apps, but it’s not trivial to do something like that. As it stands, letting apps have free rein to store persistent tracking information isn’t a good policy.

                                                                          1. 5

                                                                            Ideally, the technical differences in implementation would be divorced from the UI differences, so that you could write an offline web app, make it jump through an equivalent set of hoops to authorize the use of local storage, and then it has privileges equivalent to native apps, but it’s not trivial to do something like that

                                                                            It may not be trivial, but it does have a name – “electron”.

                                                                            1. 1

                                                                              It’s close to what I described, and worth mentioning, but there are still tradeoffs. At a minimum, Electron requires you to do go through the app store on iOS, right?

                                                                              1. 1

                                                                                You can download and install it as you can with any other native appliication, which is the point: it behaves like a native program, so you install it like a native program.

                                                                          2. 2

                                                                            iOS apps are already heavily sandboxed, have heavy restrictions based upon what they can use for persistent identifiers, etc,.

                                                                            The web, by necessity, requires an overly permissive model first and foremost. This is where advertisers are most sticky.

                                                                            1. 1

                                                                              If you just prevent the user from unlocking their device they don’t risk entering and personal information that could be leaked.

                                                                              1. 1

                                                                                What we spoiled block is the cause, not the symptom. We should block trackers. Make them illegal. Yes, it would be impossible to enforce. But at first, we kill off Google’s and Facebook’s ability to do this (and they couldn’t get away with it, they’re to big).

                                                                                Then the small ones wont matter any more and within a few years, that particular problem is gone.

                                                                              2. 2

                                                                                I’m using this functionality to improve accessibility to slow connections.

                                                                                Seven days is quite a short window.

                                                                                1. 7

                                                                                  Saying “seven days” is incomplete enough to be effectively inaccurate. The more accurate statement is:

                                                                                  • For sites using local storage, it’s deleted if the user goes seven days without visiting your site in Safari
                                                                                  • For web apps installed to the home screen, it’s deleted if the user goes seven days without opening your app

                                                                                  These seem to be reasonable if you’re using local storage as a temporary cache, since every time the user visits your site or opens your app resets the counter for you (and also gives you a chance to make sure your locally-cached data is up to date).

                                                                                  1. 2

                                                                                    I don’t think it’s reasonable if you’re using localStorage to store a user’s private key for your site.

                                                                                    I think this is a valid use case, and the user will be severly disappointed if their key is lost after just 7 days of inactivity.

                                                                                    1. 5

                                                                                      Lots of sites would log me out if I didn’t visit for a while. And client-side storage has always been volatile and intended to support short periods of offline work, rather than an ad-hoc guaranteed-permanent filesystem substitute. The fact that a lot of people assumed it could be used as a permanent filesystem seems like an error on their part.

                                                                              1. 5

                                                                                Cool, but the next wave of ad blockers will need a completely novel approach once SSAI (server-side ad insertion) takes off unless we all just collectively reject ad monetized video content.

                                                                                DAI (Google’s SSAI solution) is already in what amounts to a prerelease for larger customers

                                                                                1. 5

                                                                                  Could you explain quickly what SSAI is?

                                                                                  1. 6

                                                                                    Sure! I will limit my explanation to the bounds of HLS (HTTP Live Streaming) since the concept is the same for both HLS & DASH (Dynamic Adaptive Streaming over HTTP) and these are the two most important ABR (Adaptive Bitrate) content types.

                                                                                    1. You have a manifest example.m3u8 file that declares a list of where your video fragment files <N>.ts are, this file usually sits somewhere “private”, maybe even encrypted with a key that only the SSAI server knows if the company has enough technical expertise to handle running the infra for it.
                                                                                    2. Browser asks for example.m3u8 from some URL that the SSAI server sits in front of, the server fetches the actual manifest (or maybe has a local cached version already available) and looks for special places where the manifest declares an Ad can be inserted, SSAI fetches the Ad (bidding/etc) and inserts the resulting .ts files into the example.m3u8
                                                                                    3. SSAI server sends the resulting spliced example.m3u8 back to the client with a few extra .ts files in it, and updated metadata (this is a big thing I’m glossing over) so it doesn’t break metadata in the browser about video duration, etc.

                                                                                    Here are some more resources:

                                                                                    1. 3

                                                                                      Who controls the SSAI server? Would that be Google in this case and the content is made available to them by the company that owns the page where the video will be displayed? So does that mean that in order to host a ad network that uses SSAI you basically have to proxy all traffic for your customers?

                                                                                      It seems weird to do the ads on the server since (as I understand it) advertisers don’t trust content providers not to cheat, and that’s why ads are fetched on the client from separate servers (which can then be blocked with relative ease).

                                                                                      Maybe I just totally don’t understand what’s happening here.

                                                                                      1. 3

                                                                                        Advertisers don’t trust content providers in general not to cheat.

                                                                                        However, Google have been caught ‘cant-believe-its-not-cheating’ multiple times with no impact, and it took years for it (eg putting brands next to KKK vids) to catch up with them on youtube.

                                                                                        I suspect YT could pull it off and tell advertisers that’s the new deal.

                                                                                  2. 4

                                                                                    I think the next wave, already here, really, are service-specific user agents. Instead of cutting out the advertising, they cut out the content and make a new frame for it.

                                                                                    These take many different forms including websites (archive.is, youtube downloader sites), scripts (youtube-dl), binary apps (Frost, AlienBlue, NewPipe).

                                                                                    1. 2

                                                                                      As @whjms noted, unless they are patching the manifest files on the fly to undo the SSAI (possible, but would lead to another type of whack-a-mole) it doesn’t matter how you are showing the content

                                                                                      1. 1

                                                                                        Wouldn’t newpipe still have to display the SSAI ads, since the ads are dynamically inserted into the video?

                                                                                      2. 2

                                                                                        It’s already taken off. Quite a few of the youtube videos I watch–maybe as many as 50%–are sponsored by an audiobook company or a learning-video company.

                                                                                        The only solution I can think of to this is a crowd-sourced database of video timestamps to skip between; this is is an impossible-to-complete task which grows ever larger, and it’s open to abuse.

                                                                                        1. 1

                                                                                          There’s a machine learning model that was trained to skip sponsorship sections, too, though, personally I’m not so bothered if they were picked by the creator and the creator is getting paid directly and reasonably well for it.

                                                                                          1. 1

                                                                                            The leading extension that blocks sponsorships relies on user-submitted times, what’s this machine learning driven one you’ve mentioned? Actually pretty curious about this, I’ve been planning to build an ad-blocker for the TV!

                                                                                            1. 1

                                                                                              It was a recurring neural net trained on the automatic video transcriptions: Reddit thread (and very good intro video); repo.

                                                                                        2. 2

                                                                                          My old employer, a big player in the video space, has been doing SSAI for a few years now.

                                                                                          I never worked in that directly, because I find it gross, but I suspect you could detect differences in encoding between the “content” and “ad” segments.

                                                                                          1. 2

                                                                                            That sounds like it would be fun to make. I suspect you’re right, and I would not be surprised if the differences are huge and glaring. On podcasts, which I listen to much more frequently than I watch online video, the differences are often audible. I can detect the ad spots by ear in many cases, just because the artifacts change when they cut over.

                                                                                            1. 2

                                                                                              I bet that you don’t even need to look at the data, per se. My guess is that the primary method for all of this is HLS, where you have a top-level (text) manifest file that lists the different renditions, and each of those URLs points to another manifest that lists the actual video segment URLs. If I were building SSAI without an eye towards adblockers, I would splice the content and the ads at that second manifest level, so the URLs would suddenly switch over from one URL pattern to another. I believe the manifest also includes the timestamps and segment lengths, so you should be able to detect a partial segment just before you switch from content to ad.

                                                                                              It’s possible that they’re instead delivering it all as one MP4 stream, but that seems out of favor these days. Or they could do HLS but have segments that bridge the gap from content to ad, but that might involve re-transcoding, and if it didn’t… well, you might see something interesting with keyframes or something, I suppose? I don’t think they’d bother with that anyhow, since it sounds more complicated.

                                                                                              1. 1

                                                                                                I think most of it is currently based around #EXT-X-DISCONTINUITY declarations

                                                                                          2. 2

                                                                                            Does SSAI get to track you across the web? TBH, I don’t care about ads themselves, especially in video (that last bit may be because I just don’t watch all that much video). What aggravates me is the whole surveillance aspect of most current online advertising. By my read, SSAI should neuter the ability to track you across different sites. I’m set to call that flawless victory, if ad supported content is forced to resort to something that can’t track me.

                                                                                            1. 1

                                                                                              They still build it to involve tracking, with JS and cookies and whatnot that all happens before the video stream is requested. I believe if all of that is blocked, you still get ads, just not “retargeted” ones.

                                                                                          1. 2

                                                                                            Yep, I attended today (Saturday), and will be around tomorrow.

                                                                                            1. 1

                                                                                              Cool! If you want to meet up in person, I’m wearing ripped jeans, black hoodie with “X/under armour” logo, hat with ears, glasses, small thinkpad.

                                                                                              1. 2

                                                                                                Too bad, we didn’t connect. :)

                                                                                            1. 2

                                                                                              I thought all MIT conferences were cancelled? The STAMP workshop was.

                                                                                              1. 1

                                                                                                Only events over 150 people were cancelled, from what I understand.

                                                                                                Because the Expo is three separate events, all fewer than 150, it is still on.