26 comments

[ 4.4 ms ] story [ 63.0 ms ] thread
One of the key blockers to a good PWA experience on iOS.
I'm a big supporter of PWAs, but I don't think push notifications add all that much value for most regular apps much less PWAs. However, I do appreciate that the apps need to request permission to send notifications as opposed to regular apps which can send them unless explicitly denied permission.
> regular apps which can send them unless explicitly denied permission

That's not true at all. On iOS at least.

Anecdotally, every client that rejected a PWA approach has been due to insisting on push notifications. These apps are typically internal employee apps and the push notifications are important alerts that they do not want lost in the shuffle of emails.
Why would you want to push ‘important alerts’ using an off by default, unreliable api?
I can say we (roomlio.com) really miss not having push notifications on iOS for our chat PWA. Just presenting that as one use case where I believe push notifications would add value by notifying users of new chat messages.
Disagree.

For many enterprises/clients this is the key (and only missing feature).

I've seen apps that resort to sending text messages for notifications. I'd imagine the billing is more pricy, but some PWAs have to curtail App Store restrictions.
So if I'm understanding this correctly: Apple still refuse to implement this PushManager interface in Safari, but because they don't have a public bug tracker, the WebKit Bugzilla is where the iOS PWA devs go to vent?
It was recently fixed in WebKit, so I guess that’s a step in the right direction? Though I doubt it’s happening, lots of ads and spam via push notifications.
>> lots of ads and spam via push notifications

Yup, including via apps distributed in the iOS App Store. Hell, even some of Apple's own apps do it!

Apple could absolutely gate this and a dozen other "problematic" APIs behind a user willfully installing a PWA, and with all the other trimmings they use for "user privacy".

Hell, at this point, make us pay the apple Dev tax to be able to register to send notifications for a domain, make it so there's a reporting process or such with real consequences since you made us jump through so many hoops to register and prove we're real.

But no, Safari lingers and lags, and rightly or wrongly, looks to be gimped in favour of the app store and the walled garden revenue from it.

I’m not sure how you came to your conclusion but it doesn’t seem justified by the info in this bug.

It reflects Web Push being done in WebKit by Apple engineers (who use and pay attention to bugs.webkit.org). Apple doesn’t usually comment on when/if WebKit features will ship in Safari but Apple engineers don’t generally do stuff like this just for kicks.

Thank you for the context. Makes much more sense now.
Seems like the news here is that it was reopened on 2021-09-30 after another issue and patch landed here: https://bugs.webkit.org/show_bug.cgi?id=231008

From my reading that patch does not implement the whole thing, but rather a part of it, but I'm not familiar with webkit source, so I might be wrong and the rest of the implementation is in platform code.

Anyway it's nice to see any progress on this since it is one of the most requested features.

Progress I'd like to see, a toggle to deny all push notification requests... and the modal that precedes the permission request.

Alas, since asking for push notification permissions requires a user gesture, it wouldn't actually keep 1/6th the pages in the world from opening a spammy "can we notify you" box, which, should you hit yes, THEN opens the permissions. "Oh too many pages are asking for permissions..." "I know, let's make the page have to ask for permission to ask permission" :unicode-squirt-gun: :head:

IMO the whole permissions experience on the web is wrong/crap. The browsers all knew that unless asking for permissions brought up big bold obnoxious browser prompts, many many users would simply not have any idea the page was even asking. But that got to be out of hand, so then we had to make asking for permissions require a click or interaction, need a "use gesture" to kick off.

IMO we've failed by trying to serve everyone. That we are too afraid to make interfaces for good/advanced users is a tragedy. We insist on making only blunted instrument. So the whole experience is such crap.

Ideally there'd be a little permission requests icon with a number by it, or something in the awesome-bar/address-bar that shows: hey, I can do these things. Enable me if you want. Rather than modal & bold, a transactional thing, the page is just ambiently broadcasting what permissions it's happy to make use of. Users can selectively opt in/out whenever they feel like it. Yeah this site has been good, let me subscribe to their feed, let me add notifications. Oh this site can use my gyros/compass? Cool, I'll try that. Rather than the page making a request & expecting an answer, I just want the page to ambiently have requests open, the user not to be prompted but to have some means of checking what's ambiently available, opting in. Yes, many users would simply never know. Perhaps we need a bifurcated experience, options in our browers, browsers built for more discerning users: something we haven't dared do in a long long time. But by compare the current model of permissions is aggressively crappy & a huge attention hog. Simply being able to turn them off would be a help, but we'd still have to suffer the same egrious visual spam that stupid user-gesture requirements have wrought anyways. What a fuck up, what an awful local minima we're trapped in.

FYI in Safari desktop, which supports web push, you can turn deny all requests. The same thing works for the other permission types as well.
Yet if you clear your cookies regularly in addition to cookie permission pop-ups you get web push request pop-ups, because it’s more effective to request permission and then trigger the browser UI.
Be VERY careful on accepting push notifications!

There is a huge malvertising campaign targeting mobile users (especially Android) that tricks users into accepting push notifications with fake CAPTCHAs or fake media player buttons that push malicious ads and mobile malware and can even lead to botnet activity.

The risk versus value is too high.

The software being used to push this malware is from Propeller ads and more recently AdMaven but is protected by Russian DDoS services.
Also AdFly does it too. For an example, go to https://firfox.com on Android. Depending on the campaigns active at the moment, you'll probably get pages trying to get you to enable push and or download VPNs or "antivirus" apps. (Especially Norton) On Windows Firefox, you sometimes get the "Your computer has a virus!!! Call our number!!!" sites too.
For the past couple years, every time I visit my mom I borrow her phone and unsubscribe her from a bunch of push notification spam senders. It is way too easy to allow these notifications.

Reading the messages in that bug tracker from ecommerce sites, I really do wonder how many of their customers genuinely want pushes for coupons and ads vs how many just see a "you need to click some button to get on with things" and accept because that's just how computers seem to work for them.

Then again, I'm perpetually cynical on these because I don't want push notifications for anything that doesn't actually warrant an inturruption to my daily life. I'm not 'settling for email' as one ecommerce marketer puts it. If you are sending your email content to notifications, then my notifications will just become another email inbox and lose their value.

It's a completely avoidable UI problem, too. There are two kinds of notifications:

- Notifications while I am actively using a thing - for example, "your upload is finished," or "."

- Push notifications from some website I looked at once and accidentally allowed notifications.

Browsers keep treating these as if they're the same thing. Firefox doesn't make any effort to separate them - you get the same "allow notifications" banner whether it's for push notifications or the plain old notifications API (https://developer.mozilla.org/en-US/docs/Web/API/Notificatio... / https://bugzilla.mozilla.org/show_bug.cgi?id=1192458).

But they're obviously different. I don't want to disallow notifications for every website I interact with, but if you aren't telling me what kind of notifications these are, I don't really have much to work with here.

Assume you don't want them, unless your usecase requires them?
Why not push notification for PWA to start with? the user buys a 1k phone, finds an app that an indie developer/solopreneur built as PWA to lower the cost, install the app willingly on their device but discover the experience is lacking because....:

Apple wants to milk the users and developers for money in the name of privacy. And on top of that, we've outsiders defending them!

> If apple opts into WebPush this will cut into its AppStore revenue eventually.