What good prompting the user does if the prompt says: "Would you help to make your beloved app even better?" or "Give permission to use Bluetooth?"
We as developers know the technology is not safe. We know users can't know what we know. But we still push it to users.
We are not protecting users. We are just transferring responsibility to users and we know that's know "gonna end well" but we're doing it anyway because of what? Because we can? Profit? Chromeos? Why?
I note that the example skipped one crucial step, to scan for available devices. Scanning and enumerating available devices, and selecting a device, is a step where potentially sensitive information is exposed.
Will scanning for and getting a list of all available devices be something that a websites can do through the api? Or will the api delegate scanning to the browser, much like the file selector api, where the browser is only exposes the final user selection, the selected file, rather than letting the webapp have access to the entire file system? I.e in this case a list of all available bluetooth devices?
No, as you can see in the video the browser lists available devices and the user then selects from that list. The website only ever sees the device the user selects (if any); it can't read the list itself.
IIRC there _is_ a separate standard that allows websites to scan for nearby Bluetooth devices but it's via a completely different API with its own separate permissions system.
We as developers know the technology is not safe. We know users can't know what we know. But we still push it to users.
We are not protecting users. We are just transferring responsibility to users and we know that's know "gonna end well" but we're doing it anyway because of what? Because we can? Profit? Chromeos? Why?