So Apple just threw the baby out with the bathwater and killed offline web apps (unless you’re cool with all your data being deleted if you don’t use an app for a week). You’d almost think they had an App Store to promote or something.


Block all third-party cookies, yes, by all means. But deleting Local Storage after 7 days effectively blocks any future decentralised apps using the browser (client side) as a trusted replication node in a peer-to-peer network. And that’s a huge blow to the future of privacy.

Show thread

Of course, if Apple were actually serious about protecting your privacy, they’d implement all this in their News app also. They won’t. And they won’t allow content blockers work in it either. Because just like every other trillion-dollar corporation, they’re massive hypocrites.

Show thread

(And just to be clear, that’s all “local storage”, not just LocalStorage – Indexed DB, etc.)

Show thread

@aral sounds like they're prepping for the "everything's an Electron app"


So, before this change in Apple's policy, an app could store my config data on my PC.

After this change, they'd need to have me log in and send the config data to *their* servers.

And this is supposed to *protect* privacy?

@codesections @aral They've revised the announcement in response to criticism:

A Note On Web Applications Added to the Home Screen

As mentioned, the seven-day cap on script-writable storage is gated on “after seven days of Safari use without user interaction on the site.” That is the case in Safari. Web applications added to the home screen are not part of Safari and thus have their own counter of days of use. Their days of use will match actual use of the web application which resets the timer. We do not expect the first-party in such a web application to have its website data deleted.

If your web application does experience website data deletion, please let us know since we would consider it a serious bug. It is not the intention of Intelligent Tracking Prevention to delete website data for first parties in web applications.

@ssokolow @codesections Saw. Doesn’t change anything. They do this, they kill Offline Web Apps. And with it, the possibility of using the web as a bridge to p2p.

@aral Well, crap. A bunch of things I use and wrote use localStorage. Now I need to host them all and use a database…

@aral Apple has gone full 'The Ring' with its 7 days.

> "Paves the Way For Other Browsers"
> Firefox: *keeps doing containers, first-party isolation and proper addons*
"Back in February 2019, we announced that ITP would cap the expiry of client-side cookies to seven days. That change curbed third-party scripts’ use of first-party cookies for the purposes of cross-site tracking."
"third-party scripts moved to other means of first-party storage such as LocalStorage"

OK this is interesting: how is LocalStorage used for cross-site tracking? It can't be, right? Then, why does that mean the web should absolutely never have client-side permanent storage?

@xerz @aral As long as you can store data locally to later be sent to the server (by, say, an Ajax request) it can be used for cross-site tracking. Cookies were trivial that way, LocalStorage is not much better.

@alcinnz @aral hmm, they can track that by calling home on each request, but I can see why they would use local storage to avoid saturating infrastructure

which APIs should pay for it then, and how? It does seem sensible to block local storage now considering that, but the cost might be too much, I don't see why it couldn't be an optional, per-page setting

@xerz Honestly, I don't know. I'll leave it up to Apple, Google, & Mozilla to decide while I implement and promote my ideal Web.

Which I gather @aral will keep arguing against due to the sad state of mainstream software.

@alcinnz @aral oh don't worry, I am also working on my ideal version of the web, but I still think that whatever is going on is worth being concerned about right now, since this is most likely an attack on the safest, most decentralized way to get software on iOS

@aral I could just 🤢 !!!
We need a new, free as in freedom, browser engine!

@der_On @aral I'm working on one, but if you expect it to be able to run "webapps" in it I'd advise you to design a new suite of standards that is actually feasable to reimplement.

@aral Is this also blocking installed apps? PWAs or otherwise?

iPhone OS had ‘add homescreen shortcut’ or something since the early days (I recall it in 3.x era, but I didn’t have one before it). Are they also wrecking offline storage for web apps that you actively installed without App Store — by tapping ‘add to homescreen’ or similar?

Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!