1. 2

    Finished an Angular Project about 1.5 weeks ago, so I’ve been looking for ideas on something cool to build. Hopefully, I’ll find something interesting this week and start working on it.

    1. 2

      I’m working on a project in Angular and learning how to integrate Firebase/Firestore with it. Besides that, I’m planning on visiting my uncle, who was diagnosed ~1.5 months ago with a Glioblastoma and is now undergoing his second week of chemo. He was the very reason I became interested in computers when I was younger and was like a second father to me, so it’s been quite difficult for me on a mental and emotional level. Just trying to get any work done has been extremely challenging lately, but I have to try.

      1. 1

        I attempted to get Linux on my 2018 15” Macbook Pro several months ago for an Operating Systems course I was enrolled in, and it was quite frankly a nightmare due to the Apple’s security measures and the T2 security chip. A friend actually wound up messing up his Macbook Pro when he was attempting to install Ubuntu, so I opted to install it on an external SSD and then boot from it after disabling the T2 security chip by entering Recovery Mode and opening the Startup Security Utility from the Utilities Menu and then disabling Secure Boot and allowing External Boot. It wasn’t smooth, to say the least, but it worked (albeit with much trouble/issues).

        1. 25

          I think the success rate of this system is also highly affected by the kind of public you have. Here is my experience:

          I built a bar management application, people purchase products themselves on their phone with their own account. It’s a socially controlled system.

          • People (re)authenticate just once a year
          • I estimated 80% forget their password, having to use the password reset link, the magic link flow is much nicer
          • A password is optional, a password manager/instant login can be used
          • Simple registration, only a name/email required, no password
          • You want things to be as simple as possible at a bar

          I did ask for some feedback on this, and many liked this system better for this use case. Others opted for using a password, and were fine with that as well. It doesn’t work everywhere, but I think developers should definitely consider a magic link implementation for some applications, to use the best of both worlds.

          1. 6

            I agree it heavily depends on the type of userbase you have. For example, I prefer the traditional email address/password setup since I always use my password manager, which auto-fills the fields for me. Magic link-based authentication feels a bit more tedious to me as a user since it would mean I would always have to do the one extra step of going into my email for the link. Also, the (re)authentication once a year is an excellent idea. If it’s a phone app, one way to help prevent people from forgetting their password would be similar to what Authy does, where it gives you the option to enter your password if you want to be sure that you remember it or you can just hit ignore.

          1. 37

            It sucks for offline apps, but there is a sad rational explanation: in reality there are very few real offline webapps that rely on it, and lots and lots of trackers that abuse it.

            Any bit of persistent state will be abused for tracking, so sadly everything has to be blocked for as long as surveillance-based adtech thrives.

            1. 5

              Then we should block native apps that can communicate over the network from saving files to disk. ;)

              1. 15

                I get your point, but I think there’s a difference in user expectations between an app and a website. If I just visit a site to read one or two pages, that feels like it should be anonymous, whereas an app I use to do stuff feels more stateful.

                1. 6

                  If browsers can require explicit permissions for accessing the webcam etc., why can’t they do the same for local storage? I think they can and should, and it would be way better than wiping the local storage after $num days.

                  1. 7

                    It will be another popup where 99% of the userbase shrugs and goes “yeah, I guess”.

                    1. 3

                      How do you know that’s what people do? :) I have no pity for people who choose the wrong option. But I must pity those who aren’t even given the option.

                      1. 1

                        I mean you do have the option of just not using Apple products. Seems like the best option imo.

                        1. 2

                          Apparently Chrome is going down this route too on 2022.

                          1. 1

                            It boggles my mind how in-step Apple and Google are. One is always following the other when it comes to eroding our options and privacy online. Really makes me feel like a sucker for actually believing that a company the size of Apple could “care” about privacy any more than Google could. I guess we imagine the world as we’d like it to be…

                    2. 1

                      If browsers can require explicit permissions for accessing the webcam etc., why can’t they do the same for local storage? I think they can and should, and it would be way better than wiping the local storage after $num days.

                      There’s a Firefox plugin that does something similar, but with a much better UI (ask forgiveness, not permission). The Self Destructing Cookies plugin moves any per-site storage to a separate location as soon as you navigate away. If you go back to a site and realise that functionality that you care about is broken then you can restore the state, but otherwise you just leave it and it’s eventually deleted in the background. I’d love to see that UI adopted more widely for cookies and local storage. 99% of the time, I’m happy for things to silently become session cookies. Having that as the default, with a working undo for when it isn’t, is a lot more user-friendly than asking people to allow or deny (which is the right UI for the microphone and camera, where you are likely to know if the site really needs these).

                  2. 9

                    Native apps are definitely full of trackers. They’re probably even worse than websites due to elevated privileges, easily obfuscated SDKs, and no origin separation.

                    But the difference is in user expectations. Users freely jump from site to site, and can be visiting hundreds of sites. Many users hardly install any native apps.

                    1. 7

                      One interesting difference is that I firewall all my native apps’ outbound connections. So I’m acutely aware every time one of them phones home to report my activity to their overlords, or it’s simply blocked.

                      I have to let my browser talk to arbitrary hosts on the internet for it to do its job. It doesn’t currently let me specify that an offline web site shouldn’t be able to do that.

                      My outgoing connection firewall thus amounts to a more effective form of origin separation than I get from a browser.

                      1. 6

                        They’re probably even worse than websites due to elevated privileges, easily obfuscated SDKs, and no origin separation.

                        I think the most prominent privacy issue is services tracking you across the web, which ads network do. Native apps [should] live in their own little world. Unless they abuse privileged access, which in most legit case they don’t. I consider Facebook and Google tracking my browsing habits much worse privacy-wise than Apple tracking which news I look at in the Apple News app.

                        Native app are also getting better at letting users control access and I don’t get any surprise about random apps reading my contact list. I can easily review which app has access to what. This is in no way obfuscated, at least on OSX/iOS.

                        1. 4

                          I hadn’t realized how bad the trackers were until I sent my iPhone’s/iPad’s traffic to my Pi-hole. It’s incredible how bad it has become.

                        2. 6

                          The difference is that downloading a native app has a very different experience than just visiting a website. You know you’re downloading a thing that will store data on your device.

                          Ideally, the technical differences in implementation would be divorced from the UI differences, so that you could write an offline web app, make it jump through an equivalent set of hoops to authorize the use of local storage, and then it has privileges equivalent to native apps, but it’s not trivial to do something like that. As it stands, letting apps have free rein to store persistent tracking information isn’t a good policy.

                          1. 5

                            Ideally, the technical differences in implementation would be divorced from the UI differences, so that you could write an offline web app, make it jump through an equivalent set of hoops to authorize the use of local storage, and then it has privileges equivalent to native apps, but it’s not trivial to do something like that

                            It may not be trivial, but it does have a name – “electron”.

                            1. 1

                              It’s close to what I described, and worth mentioning, but there are still tradeoffs. At a minimum, Electron requires you to do go through the app store on iOS, right?

                              1. 1

                                You can download and install it as you can with any other native appliication, which is the point: it behaves like a native program, so you install it like a native program.

                          2. 2

                            iOS apps are already heavily sandboxed, have heavy restrictions based upon what they can use for persistent identifiers, etc,.

                            The web, by necessity, requires an overly permissive model first and foremost. This is where advertisers are most sticky.

                            1. 1

                              If you just prevent the user from unlocking their device they don’t risk entering and personal information that could be leaked.

                              1. 1

                                What we spoiled block is the cause, not the symptom. We should block trackers. Make them illegal. Yes, it would be impossible to enforce. But at first, we kill off Google’s and Facebook’s ability to do this (and they couldn’t get away with it, they’re to big).

                                Then the small ones wont matter any more and within a few years, that particular problem is gone.

                              2. 2

                                I’m using this functionality to improve accessibility to slow connections.

                                Seven days is quite a short window.

                                1. 7

                                  Saying “seven days” is incomplete enough to be effectively inaccurate. The more accurate statement is:

                                  • For sites using local storage, it’s deleted if the user goes seven days without visiting your site in Safari
                                  • For web apps installed to the home screen, it’s deleted if the user goes seven days without opening your app

                                  These seem to be reasonable if you’re using local storage as a temporary cache, since every time the user visits your site or opens your app resets the counter for you (and also gives you a chance to make sure your locally-cached data is up to date).

                                  1. 2

                                    I don’t think it’s reasonable if you’re using localStorage to store a user’s private key for your site.

                                    I think this is a valid use case, and the user will be severly disappointed if their key is lost after just 7 days of inactivity.

                                    1. 5

                                      Lots of sites would log me out if I didn’t visit for a while. And client-side storage has always been volatile and intended to support short periods of offline work, rather than an ad-hoc guaranteed-permanent filesystem substitute. The fact that a lot of people assumed it could be used as a permanent filesystem seems like an error on their part.