Disable your invasive notifications!

lperkins2 · September 1, 2020, 8:55pm

Your forum software asks users to allow it to run arbitrary javascript inside a “Web Worker”. As is typically the case with these invasive scriptlets, it claims they’ll only be used for “push notifications”, but the actual WebWorker system is not restricted to notifications, instead, it can do anything doable inside javascript, even when the user is not on the website. These scriptlets also are often self-updating, which means a compromised “notification server” can be used to launch attacks against people’s computers. In short, this is a fairly serious “miss-feature”, which a privacy-oriented, freedom-respecting company ought not use.

There is a standard format for push notifications, which people who want them can use (and your website probably ought to offer): RSS.

kieran · September 2, 2020, 2:04am

Fair comments but Purism is using the Discourse forum software AFAIK - so if someone wants to pursue this then the first question would be whether Discourse even offers control over this.

If it doesn’t then I am fairly sure I want Purism software engineer resources devoted to getting the L5 out the door rather than forking Discourse.

I take it that you have looked over your own forum profile to confirm that there is no per-user control over this.

lperkins2 · September 2, 2020, 3:44am

There is per-browser control over this. You can get rid of the notification request on each device. Not sure how long it will last, as most websites ask again in a week or so.

It’s a fair point that this is standard software, so it’s not worth developer time chasing upstream, but if Discourse does allow control over this, it should be properly configured.

kieran · September 2, 2020, 3:57am

If you yourself want to pursue this … https://meta.discourse.org/

Maybe someone already asked - or you could sign up to YAWS (Yet Another Web Site) and ask there yourself.

StevenR · September 3, 2020, 10:54am

One thing that many manufactures do and that I really don’t like is when they create exceptions for themselves, with respect to how the operating system works. Microsoft does it from time to time. Just recently, Samsung has been doing it on my Note 9. Samsung is sending me notifications (advertising of paid features that they want me to try), and those notifications can’t be turned off. I can disable other notifications, but not the Samsung ones. I hope Purism never does this kind of thing. Operating system features need to always be consistent, no matter what.

kieran · September 3, 2020, 12:05pm

If they did then someone can edit the source to take those notifications out.

The only reason it works for Microsoft or Samsung is that they provide blackboxes.