It seems that any time Apple releases something there is bound to be some noise regarding it. This time, it’s in regards to browser storage and Apple’s recent proclamation that such data will be deleted after 7 days. Well let’s break this down and see what this really means for developers.
Let me start by saying that these are only my opinions. These do not reflect the opinions of Ionic or the rest of my coworkers. In fact, there’s healthy disagreement and differing views among our team, as I’m sure there are on yours.
Recently, Apple released a blog post talking about their latest enhancements to Intelligent Tracking Prevention. There’s a lot to this blog post, but the part that stuck out to everyone was
Now ITP has aligned the remaining script-writable storage forms with the existing client-side cookie restriction, deleting all of a website’s script-writable storage after seven days of Safari use without user interaction on the site. These are the script-writable storage forms affected (excluding some legacy website data types):
Indexed DB LocalStorage Media keys SessionStorage
Service Worker registrations
Wait what? Apple is going to clear out my site’s storage after seven days? WTF Apple?? This seems to be the reaction that most people are having on Twitter, Hacker News, etc. The backlash was so strong that the blog post author went back and added some additional comments to clarify exactly what they meant. So what does this mean?
📞 Seven days…
Well from the very beginning, it’s been pretty vague what is considered “Seven days of use”. I kept thinking about the scene from “Scary Movie 3” where the main character has an argument about what “Seven Days” really means (a gem in an otherwise ‘meh’ movie). Well after thinking about the blog post for a few days now, I think I finally have the breakdown.
Inside of Safari, there is an internal counter. Let’s say you access Site A (startrack-ng.web.app). Site A has a service worker and when you visit it, it registers the service worker with Safari. You leave the site and don’t touch your phone for the rest of the day. The next day, you use your phone again and go to Site A. Since you’ve used Site A again, there is no day counted against you.
So now you wait another day, you open Safari, but this time you go to Site B. You read some articles, close out the browser and don’t use your phone. After this day, you have now reached one day of Safari use without interacting with Site A. You are now down to six days.
The next day you don’t use Safari at all. You still use your phone, but you haven’t actually opened the browser. Well since you haven’t used Safari, you do not accrue another day. So your count will still be at six days remaining.
This is the pattern. You have seven days of Safari use for users to visit your site. If after seven days of Safari use, your site is not loaded, the script-writable storage will be cleared out.
Home Screen Apps
One of the questions that did arise out of the Twitter/Hacker News backlash was with regards to apps on the home screen. Since they are not loaded through Safari, what’s their counter logic? Turns out, they effectively do not have a counter. Well, they do, but the same logic as above is applied. Since they only load one web app, their counter will effectively never hit seven days.
Similar to Home Screen Apps, Capacitor/Cordova apps are not affected by this. Some interesting technical details here…it seems the counter is limited to Safari-based apps. Since Cap/Cordova Apps use WKWebview, they actually don’t have a counter at all.
Ok, I believe you, but my Twitter circle doesn’t
So if this is the case, what is all the frustration about? There seems to be an inherent distrust when it comes to Apple and the web. A lot of people see Apple as the villain in the Web Ecosystem, wanting to kill it in favor of the iOS App Store. While Apple is certainly an odd-duck when it comes to its behavior in the Web Ecosystem, I do not see them as the villain.
Apple and Safari have made their claim on being a fast, secure, and private browser. That’s their mission statement. Everything that Safari/Webkit does all goes to make sure users have a fast browser that doesn’t use their data for ads or malicious intents. When third-party sources attempt to track you and identify who you are, this goes against Safari’s goals.
Let’s go back to Service Worker, since it seems to be the most contentious change. As it stands, the Service Worker Spec does not define a limit on how long a registration should last. I read this blog post from Jeremy Keith
and came across this passage:
So I was curious. Wanting to give Apple the benefit of the doubt, I set about trying to find out how long service worker registrations currently last before getting deleted. Maybe this announcement of a seven day time limit would turn out to be not such a big change from current behavior. Maybe currently service workers last for 90 days, or 60, or just 30.
There was no time limit previously.
Which links to a tweet from Safari’s Dev Rel.
I will say this, yeah this is a drastic change. I can think of a few situations where this will hurt my user experience. But I do think that having no limit on service worker life is even more dangerous. Considering how powerful service workers are, they should have some limitations to make sure they do not become an attack vector for fingerprinting.
PWA !== Service Workers
There are a lot of people who see service workers as a key part of Progressive Web Apps. If you are not adding a service worker to your site, it’s not a PWA. I respectfully disagree. A PWA is not a specification. There is no official document that says “A PWA is A,B,C”, and there shouldn’t be. PWA is defined by best practices. Tying PWA to a specific API seems like a mistake and does more harm.
Is Apple Trying to kill the Web?
No, Apple is not trying to kill the web. The people who work on Safari love the web and want to see the web’s continued growth. What I think we’re seeing is a conflict of culture, goals, and priorities. Developers constantly want new bells and whistles but haven’t considered what all that means. While it might be difficult to have a voice in the community push back and say “we should have limits”, it’s a conversation I think we all should be having.
Thanks y’all for listening, I would love to know your thoughts on this as well. Cheers!