Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's a shame they have a messy pile of API-specific hacks to propagate the "user gesture". Chrome solved this problem with a change to the spec (which they called "User activation v2" [1]). It's basically two flags and a short timeout, and it covers basically all cases. Safari's approach means you have very specific codepaths, and if you do something async outside of that, tough luck, you can't use the feature and will have to nag the user to touch the screen again. This already affects APIs like clipboard (want to copy something that takes async work to generate? tough luck), limits APIs like OffscreenCanvas (want to move your game engine to a worker? tough luck, you lose access to all user gestures), and this too. Hopefully Apple can consider aligning with Chrome on this.

[1] https://www.chromestatus.com/feature/5722065667620864



> It's a shame they have a messy pile of API-specific hacks to propagate the "user gesture". Chrome solved this problem with a change to the spec

If Safari had changed the spec that comment would probably have begun with "It's a shame they had to change the spec..."

> Safari's approach means you have very specific codepaths, and if you do something async...tough luck

I'm no expert on it but this sounds more secure, no?

> APIs like clipboard (want to copy something

On a side note, I really wish non-explicit copy/pasting/clipboard snooping would die.

iOS 14 has exposed a bunch of apps that read your clipboard without any explicit paste action. It's creepy and we can only hope that it's not malicious. A bunch of big names including Discord are guilty of this.


> If Safari had changed the spec that comment would probably have begun with "It's a shame they had to change the spec..."

I don't follow. They are breaking the spec anyways. A simple timeout would be equally spec-breaking and a lot easier to understand and use.

The weird async-callback-chaining doesn't actually limit any nefarious behaviour. It just requires the code author to carefully stay inside their arbitrary happy-path. A simple timeout after a user gesture is just simpler. Furthermore this is something that you can't test without buying a thousand dollar device.


Programmatic paste is restricted in all browsers, including Safari (although Chrome has a special exception hardcoded to the Suite apps).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: