Here’s what Mozilla has to say about Web NFC, for example:
> We believe Web NFC poses risks to users security and privacy because of the wide range of functionality of the existing NFC devices on which it would be supported, because there is no system for ensuring that private information is not accidentally exposed other than relying on user consent, and because of the difficulty of meaningfully asking the user for permission to share or write data when the browser cannot explain to the user what is being shared or written.
And here’s what they have to say about Web Bluetooth:
> This API provides access to the Generic Attribute Profile (GATT) of Bluetooth, which is not the lowest level of access that the specifications allow, but its generic nature makes it impossible to clearly evaluate. Like WebUSB there is significant uncertainty regarding how well prepared devices are to receive requests from arbitrary sites. The generic nature of the API means that this risk is difficult to manage. The Web Bluetooth CG has opted to only rely on user consent, which we believe is not sufficient protection. This proposal also uses a blocklist, which will require constant and active maintenance so that vulnerable devices aren't exploited. This model is unsustainable and presents a significant risk to users and their devices.
The fact is that Google wrote these specifications, couldn’t convince any other rendering engine to implement them, and somehow it’s Apple’s fault the rest of the world rejected their idea.
These are not web standards, they are Blink-only APIs that Google decided to build unilaterally. The web is not defined by whatever Google wants. Web standards are supposed to be arrived at through consensus, and the consensus is that these things should not be part of the web.
>and because of the difficulty of meaningfully asking the user for permission to share or write data when the browser cannot explain to the user what is being shared or written
So fucking moronic privacy virtue signalling BS holding technology back.
They're doing the same thing with Web Bluetooth.
"hurr de durr we can't ask permission" Yes you fucking can, you give me a modal to confirm leaving the current page and being redirected to a new one (in some cases, but not all), you give me a pop up when a site asks to send shitty notifications (as they all do).
An app can sit and use nfc/bluetooth in the background all day long...a site can only do it while I actually have it open in the browser and presumably it's foregrounded etc.
It's really, really NOT hard for them to implement this stuff & I feel like it's less "this tech that has been in phones for more than a decade is unsafe!" and more "we need to cry about features that Chrome is pushing for us to support because otherwise we're letting them lead".
>The fact is that Google wrote these specifications, couldn’t convince any other rendering engine to implement them, and somehow it’s Apple’s fault the rest of the world rejected their idea.
Apple is on the W3C board that gets to decide which APIs become standards. They are preventing these APIs from becoming standards. They have an interest to forbid Web Bluetooth and NFC from becoming standards, because they profit heavily from native apps on their iOS platform, where they collect a percentage of all sales made through apps, so they want to force developers to create native apps instead of web apps.
I'll also point out that Opera, Edge, Samsung and others did implement the Web Bluetooth API, so you are wrong about your assertion that they "couldn't convince any other rendering engine to implement them".
If you don't think Apple is abusing their power here, then you are either lacking understanding of how Apple operates, or you just love Apple a little too much.
> Apple is on the W3C board that gets to decide which APIs become standards. They are preventing these APIs from becoming standards.
They are not. You have this almost entirely backwards. To become a standard, you only need two independent interoperable implementations. This means Apple cannot block something from becoming a standard. The only thing Google needs to do is convince anybody else to implement their proposals. So far they have managed to convince precisely zero other rendering engines to do so.
> I'll also point out that Opera, Edge, Samsung and others did implement the Web Bluetooth API, so you are wrong about your assertion that they "couldn't convince any other rendering engine to implement them".
All of these are Chromium / Blink users, not independent implementations.
If Apple won't allow an API onto Safari because it competes with native apps, then why should Firefox bother to implement it? Just because something moves forward in standards, does not mean Apple will ever implement it in their browser. They may never, and so why should Firefox do so, if Apple just blocks Firefox on their platform anyway? Chrome already has the APIs I want on Android, so Firefox won't spend the money to implement a non-standard before it is a standard.
Apple has a lot more control over this situation than Firefox does, and Firefox has limited resources.
> We believe Web NFC poses risks to users security and privacy because of the wide range of functionality of the existing NFC devices on which it would be supported, because there is no system for ensuring that private information is not accidentally exposed other than relying on user consent, and because of the difficulty of meaningfully asking the user for permission to share or write data when the browser cannot explain to the user what is being shared or written.
— https://mozilla.github.io/standards-positions/#web-nfc
And here’s what they have to say about Web Bluetooth:
> This API provides access to the Generic Attribute Profile (GATT) of Bluetooth, which is not the lowest level of access that the specifications allow, but its generic nature makes it impossible to clearly evaluate. Like WebUSB there is significant uncertainty regarding how well prepared devices are to receive requests from arbitrary sites. The generic nature of the API means that this risk is difficult to manage. The Web Bluetooth CG has opted to only rely on user consent, which we believe is not sufficient protection. This proposal also uses a blocklist, which will require constant and active maintenance so that vulnerable devices aren't exploited. This model is unsustainable and presents a significant risk to users and their devices.
— https://mozilla.github.io/standards-positions/#web-bluetooth
The fact is that Google wrote these specifications, couldn’t convince any other rendering engine to implement them, and somehow it’s Apple’s fault the rest of the world rejected their idea.
These are not web standards, they are Blink-only APIs that Google decided to build unilaterally. The web is not defined by whatever Google wants. Web standards are supposed to be arrived at through consensus, and the consensus is that these things should not be part of the web.