Conversation

Sounds more likely this will be used for "disable lockdown to view our site so our malvertising partners can track you better". 😡 FFS don't give them ways to identify & single out users protecting themselves. 🤦 twitter.com/botherder/stat

This Tweet is unavailable.

Rich Felker

@RichFelker

Aug 14

To clarify I'm not blaming

@botherder

but rather Apple for making this detectable from browser.

Replying to

and

It's detectable because it disables features for attack surface reduction and you can detect that those features aren't available. Main issue with their lockdown mode is they shoved a bunch of stuff into it which should just be enabled by default with overly inconvenient stuff.

Replying to

and

There's a list of what it disables in the browser at blog.alexi.sh/posts/2022/07/. It's very easy to detect in multiple ways. Since it's all or nothing, you know it's from lockdown mode. If you need a single one of those features, you can't just enable the feature that's needed.

blog.alexi.sh

The impact of iOS 16 Lockdown mode in Safari

A look at how the new iOS lockdown mode affects web performances and features.

Replying to

and

We disable JIT by default on GrapheneOS for Vanadium with a per-site toggle and plan to do the same for WebView with a per-app toggle. It doesn't make any noticeable impact for most sites but for certain very heavyweight sites it's very noticeable. It makes Element Web unusable.

12:55 PM · Aug 14, 2022Twitter Web App

Replying to

and

We plan to disable other features by default in the browser with similar per-site toggles. We wouldn't want it to all be tied together. We take a similar approach in the OS where we deny new USB devices when locked by default, etc. We upstreamed perf being disabled by default.

Replying to

and

All disabled by default, opt-in per-site never globally, is really the only right solution here. It precludes random junk sites you visit fingerprinting based on the set you enabled.

Show replies