APIs declined by Apple

[polcak]

https://www.zdnet.com/article/apple-declined-to-implement-16-web-apis-in-safari-due-to-privacy-concerns/

• Magnetometer, see Magnetometer #59.
• https://developer.mozilla.org/en-US/docs/Web/API/Magnetometer/Magnetometer: Available in Chrome, Opera, not available in Firefox
• Wrapper added with Added wrappers for Generic Sensor API #165 and further improved in ba2e37d and fb4236e.
• Geolocation Sensor, see Bring back GPS wrapping #53
• I am not aware of any implementation (Still no implementation in March 2022)
• Web Bluetooth
• https://developer.mozilla.org/en-US/docs/Web/API/Bluetooth Available in Chrome, Opera, not available in Firefox
• User needs to provide explicit permission for a concrete device to interact with the web page. Otherwise, the API is not usable. We suppose no wrapping is thus necessary.
• Web MIDI API
• https://developer.mozilla.org/en-US/docs/Web/API/Web_MIDI_API: It seems to be available in Chrome, Opera, available in Firefox since 99
• Since Chrome 82 the user is always asked for a permission to use the API. We suppose no wrapping is thus necessary.
• Network Information API
• Partial support in Chrome, Opera, not available in Firefox
• https://pagure.io/JShelter/webextension/c/2c497e7a4a18eb797db43d3b24be28ad154ca336?branch=devel0.10
• Disable the API by default as Brave does Remove navigator.connection from Brave-core brave/brave-browser#20122
• Web Bluetooth Scanning
• https://developer.mozilla.org/en-US/docs/Web/API/Bluetooth: Available in Chrome, Opera, not available in Firefox
• This is the same as Web Bluetooth (above).
• HDCP Policy Check extension for EME
• See https://developer.mozilla.org/en-US/docs/Web/API/Navigator/requestMediaKeySystemAccess - this API can be misused for fingerprinting to detect capabilities
• Probabistically remove some supported codecs https://pagure.io/JShelter/webextension/c/6d33146d48b8ff8b4bf7a260b62e1ca38c44e1a0
• WebHID
• API for communication with Human Interface Device(s) (HID) connected to the computer. See https://wicg.github.io/webhid/
• Supported in Chrome (since Chrome 73), Edge, and Opera - PC versions only. Not available in Firefox.
• We suppose, no wrapping is needed. When navigator.hid.requestDevice() is called, Chrome prompts the user: "... wants to connect to a HID device." The user needs to select a concrete device and confirm with "Connect" (Testech in Chrome 98).
• Serial API
• API that provides access to computer's serial ports. See https://wicg.github.io/serial/
• Supported in Chrome, Edge, Opera - PC versions only. Not available in Firefox.
• We suppose, no wrapping is needed. For accessing serial devices, the page must first call requestPort(). Upon the call, Chrome prompts the user to provide extra permission for the website to access the concrete serial device: "... wants to connect to a serial port." The user needs to select the concrete port (e.g. ttyS0) and click on the "Connect" button. (Tested in Chrome 98)
• Web USB
• API that allows websites to access computer's USB devices. See https://developer.mozilla.org/en-US/docs/Web/API/USB
• Available in Chrome (since 61), Opera and Edge, including Android versions. Not available in Firefox.
• We suppose, no wrapping is needed. To access a USB device, the page must first call requestDevice(). Chrome then prompts the user to provide extra permission for the website to connect to the concrete USB device: "... wants to connect." The user needs to select a concrete USB device and click to "Connect". Moreover, using the API requires "secure context" to be established. In addition, only a single user-space and kernel-space driver can connect to a single device at a time: https://wicg.github.io/webusb/
• Device Orientation/Motion APIs
• https://developer.mozilla.org/en-US/docs/Web/API/OrientationSensor: Available in Chrome, Opera, not available in Firefox
• Wrappers for AbsoluteOrientationSensor and RelativeOrientationSensor added with Improved sensor wrappers #171 and improved in fb4236e.
• Prevent fingerprinting of attached cameras and microphones through the Web Real-Time Communication API (WebRTC). Available in Chrome, Opera, Firefox, see Prevent fingerprinting of attached cameras and microphones through the Web Real-Time Communication API (WebRTC) #80
• Ambient Light Sensor
• https://developer.mozilla.org/en-US/docs/Web/API/AmbientLightSensor: Limited support in Chrome, Opera, not available in Firefox, most likely return a fixed value of 150 or 200
• Wrapper added with e6957db.
• Web NFC API
• https://developer.mozilla.org/en-US/docs/Web/API/Web_NFC_API, available only in mobile browsers
• https://pagure.io/JShelter/webextension/c/75668be846304cc6d79a55460239d824ba6cc920?branch=devel0.10
• User Idle Detection
• https://wicg.github.io/idle-detection/, https://web.dev/idle-detection/, https://chromestatus.com/feature/4590256452009984 (consensus Firefox:Harmful, Safari: Negative), Implemented as https://pagure.io/JShelter/webextension/c/1912bb05d350cd9641bfcfdedf26cf80691d0a07?branch=devel0.10
• A similar API that we wrapped https://developer.mozilla.org/en-US/docs/Web/API/Window/requestIdleCallback: Available in Chrome, Opera, Firefox, it is used for benign purposes like: https://community.tt-rss.org/t/typeerror-window-requestidlecallback-is-not-a-function/1755, implemented as https://pagure.io/JShelter/webextension/c/c6930727c5907801958f6c539fd47adefe7d3e09?branch=devel0.10

Most probably we are not going to block:

• Proximity Sensor
• https://developer.mozilla.org/en-US/docs/Web/API/Proximity_Events: Firefox only, needs to be explicitely enabled; not supported by currently maintained versions (removed in 89)
• Support for custom fonts - raises a question what fonts should be presented - this does not
  seem to be suitable for JSR.
• Minor software update information from the user agent string. The string only changes with the marketing version of the platform and the browser. This makes sense implement only if we decide to create https://pagure.io/JShelter/webextension/issue/44.
• The Do Not Track flag - this is user configurable and I do not think that we should prevent
  the user from setting it. Report to your DPA sites that violates your wishes. This makes sense implement only if we decide to create https://pagure.io/JShelter/webextension/issue/44.
• Support for plug-ins: Not a job for JSR.

Already blocked (before opening this issue):

• Device Memory API
• Battery Status API

[ihranicky]

UPDATE: Several tasks completed.

With #165, #171, and fb4236e, wrappers were added for the following Generic Sensor APIs:

• AmbientLightSensor: https://www.w3.org/TR/ambient-light/
• Accelerometer: https://www.w3.org/TR/accelerometer/
• LinearAcelerationSensor: https://www.w3.org/TR/accelerometer/#linearaccelerationsensor
• GravitySensor: https://www.w3.org/TR/accelerometer/#gravitysensor
• Gyroscope: https://www.w3.org/TR/Gyroscope/
• Magnetometer: https://www.w3.org/TR/magnetometer/
• AbsoluteOrientationSensor: https://www.w3.org/TR/orientation-sensor/#absoluteorientationsensor-model
• RelativeOrientationSensor: https://www.w3.org/TR/orientation-sensor/#relativeorientationsensor-model

Some of the APIs seem to be safe enough and do not require wrappers. The API calls are protected by browser prompts that requires a user to explicitly grant access to a concrete device. Those include:

• Web Bluetooth
• Web MIDI API
• SerialAPI
• Web USB
• WebHID

Details were added attached to the original issue above.