> The Chrome team has also asked for formal Standards Positions from both vendors, see the Related links section. The <permission> element is an ongoing topic of discussions with other browsers and we're hoping to standardize it.
I don’t understand this proposal enough to have an opinion yet, but that sure is an interesting way to say both Firefox and WebKit oppose it.
This bit from the WebKit response hits hard for me:
> Security Complexity: Proposed security measures (styling constraints, timing, and position mitigation) add substantial complexity, indicating possible fundamental issues with the approach.
"Security complexity" is never something you want to see, because it will become yet another game of whack-a-mole between browser makers and hostile websites (i.e. between Chrome and Google Ads). Does anyone believe that a standard will hold up against the AdTech industry armed with the full power of HTML+CSS+JavaScript? These are the people who brought you the "Enable push notifications? Yes/Pester-me-later" pre-prompt.
At face value this seems reasonable, but (and this might just be me) because its being pushed by Google I have to ask myself: what's in it for Google, and what am I missing?
Manifest 3 for example breaks adblockers for the sake of 'security', and adverts are Google's business. Passkeys are pushed for security as well (and do have benefits) but for the average person locks you into a eco-system; another business model plus for Google.
So with that in mind, how does this benefit Google at the expense of the user? Making the permissions less explicit, or less separate from the content of a site might be a net benefit to Google... I don't know.
I might also be reading way too much into motivations, and/or paranoid.
It makes it easier for users to enable permissions, accidentally too, and thus lower security and privacy. Google products are designed to exploit that. Google probably has data showing a large number of users have disabled such permissions globally, with no easy path to trick them into opting back in. That would be the cynical view!
edit: also one can never be too paranoid around Google.
> It makes it easier for users to enable permissions, accidentally too, and thus lower security and privacy. Google products are designed to exploit that.
I learned a while back that Google Maps was moved from maps.google.com to google.com/maps so that when people gave location permission to Maps, Google Search could also use that permission.
> I learned a while back that Google Maps was moved from maps.google.com to google.com/maps so that when people gave location permission to Maps, Google Search could also use that permission.
This does not appear to be the case, at least on iOS Safari. I went to Google Maps, gave it permission, then went to Google Search and searched for “delivery near me.” It again asked me for permission.
Passkeys require a password manager, so at most, this locks you into a password manager - choose carefully!
But it’s not that locked in. You can generate new passkeys for a different password manager, so migration is more of an annoyance, if you do it gradually. Having more than one password manager for a while isn’t so bad.
Now that the FIDO alliance transfer protocol has been hashed out, Passkey transfer has been announced to be coming in iOS/macOS 26, I assume it's also coming to the other password managers
No, they do not. For the vast majority they will simply require using the two major closed OSes which desire to lock the user in. Importantly the OS layer is where they will first encounter keypass, and so that is where the vast majority of keypass will happen, which is as gp said, the lock in factor.
Advanced users such as that that browse this site, will make use a password manager. Due to the extra effort involved, such users are a minority.
iOS and Chrome (often on Android, but not necessarily) have built-in password managers. I use both! I believe Windows has one, too.
It's true that a lot of people who don't really think about which password manager they should use will end up using one of those by default. (Much like happens with web browsers.)
Getting the masses to use password managers regularly will greatly improve security. It would be better if more people made a deliberate choice, though.
Passkey lock in appears to be a temporary issue. One of the WWDC announcements was that the FIDO alliance worked out a way to securely port passkeys between platforms. I expect Google to adopt import and export before year end.
I believe the issue Google is attempting to solve is frustration when a single web page spams multiple permissions requests. (Location, camera, microphone, advertiser tracking, notifications, privacy policy agreements, terms of service, etc…). The benefit to Google is better fingerprinting when a single sheet allows all at once.
Edit: perhaps they will sneak in a Google automatic login as a permission to smooth user interactions.
That's the "cover story" use case. The real use case is so that passkeys created on Apple devices can only ever move to other Apple devices, and ditto for on Microsoft or Google devices, and the real point of attestation is so that they can force you to use theirs by cryptographically ensuring that you're not using open-source ones like KeePassXC.
As an example, see this issue opened against keepassxc saying that if they continue allowing plaintext passkey export, they're at risk of being blocked once attestation is standardized:
The goal here isn't maximizing user choice, it's to enforce minimum agreeable standards by the major vendors. It's up to you whether your personal needs wholly align with what they want to mandate, forever.
I appreciate the effort being made here but the more I think about it the more I’m convinced it’s a no-win scenario.
Modal permission prompts are very annoying but inline prompts will need to have styling severely limited (as they do here) to avoid nefarious use. Almost all web sites with a designer attached will end up continuing to use styled buttons that call the modal prompt when clicked. I guess this sort of works as a <noscript> equivalent for permissions… but you can’t use the majority of those permissions without JavaScript anyway.
This special class of element also feels like a maintainability nightmare for browser teams. What happens when I put a <div> on top of this prompt with pointer-events:none on it? Would be textbook example of how you could mask the prompt. I’m sure you can fix that but there must be a hundred whack a mole problems I haven’t even thought of.
> Another challenge, especially on big screens, is the way the permission prompt gets commonly displayed: above the line of death[0], that is, outside of the area of the browser window that the app can draw onto.
So the proposal is to... put the permissions grant flow _below_ the line of death? Permissions grants _should_ break out of the untrusted context! It's a privilege escalation that only the browser (and its associated UI) should be able to grant!
I thought I liked the idea at first when I was imagining an element with no UI that just told the browser what the page wanted - I see how that solves some of the issues they mention at first. But I don't like it as a UI element that is interacted with - the whole performance around what styling of it is allowed seems like the tip of a nasty iceberg of awkward issues and anti-patterns.
Looks sensible, though I imagine it is going to be a nightmare trying to prevent click jacking, e.g. people putting elements over the top with `pointer-events: none`. There are probably a load of those attacks that are possible. Probably not too bad though because the final dialog is presumably shown above all other elements unconditionally.
Also those dialog designs are pretty awful from a usability point of view. In terms of design they all look identical, but the buttons change meaning pretty drastically, so you have to actually read the text. It would be better if it had some kind of slider or something that showed you the three possible states and let you switch between them consistently.
I really dislike when this happens. Completely side steps the standards process and puts forth an API that will have to be now considered since it’s in use. Chrome has done this before, too, I’m pretty sure with web components. Leading to the mess that they are.
I think that’s kinda misleading, isn’t it? You make it sound like it’s making good progress towards standardisation. They asked for feedback from other browser vendors, everybody said no, and they are shipping it anyway. Is “incubation happened, now on to origin trials before standardisation” really a suitable summary of that?
> “incubation happened (and we don't care what anyone said), now on to origin trials before standardisation (in chrome, and good luck if you use another browser)”
That's exactly how google would describe it with some missing context added.
Technically, it’s not two browsers shipping it, it’s two independent implementations. Otherwise everything that Google ships as part of Blink would become a standard as soon as any one of the other Blink-based browsers (e.g. Edge) includes it.
Well, they moved on despite both other major engine vendors having a negative position on this spec, so is the standards process really doing anything?
I think this is not the good way to handle permissions; it has many problems (including the problematic complexity of the security and other aspects of the implementation). Other comments mentioned here describe some of these problems. I think it is better to use the browser's UI instead of within the document itself.
However, I also think it would be a better idea to allow these permissions to be proxied (e.g. when camera access is required, you are allowed to specify a file instead if you want to do, or any external program, etc; this can be a third option in addition to "allow" and "deny"). To be able to easily undo permissions, add a menu that you can easily alter them.
If it's blocked by default and you need to interact to opt in, isn't the default "block on every visit"? The only reason it's an option now is to avoid the modal popping on every visit, which isn't a concern for this proposal.
Edit: Not sure why I'm being voted down? Can someone who disagrees with my statement explain why you'd click a button with the goal of opening a modal to deny a permission when the permission is already blocked?
It depends on how styleable the <permission> element ends up. I don't imagine any website will use it if it's limited to being an ugly default button with non-configurable text. But if the button is configurable enough, there's nothing to stop websites from abusing it for permission spam, just like the current model is.
Basically, I expect users wil stil need a way to defend against permission spam.
This proposal doesn't (nor can it possibly) fix the issue of the site putting a full-viewport UI up that forces you to trigger a permission modal. That's an issue today, and it doesn't even have anything to do with permissions. See: cookie popups, newsletter popups, disable your ad blocker popups. It's impossible to avoid that problem, because the nag screen is the content of the page. Even if you block permission requests with today's options, the site can still do this to annoy you into changing your mind.
If you're on a site that follows your cursor around with this button forcing you to click on it, the SITE is spam, not the permission request.
That's the point: the site never asks for permission with this proposal. You can't opt out of asking because the UI for the proposal is explicitly opt in. What would you want such an option to do in the context of this proposal?
I’m not sure the linked document makes a good case for this. My initial reaction was that I didn’t understand why they made a point of it being declarative when the permission that results requires imperative code to function.
I think the point behind this is to stop websites from spamming permission popups by moving the permission prompt to page content and making the contents browser-controlled not website-controlled. I think that’s a better model, but it doesn’t really solve the annoyance of having the “fake” permission prompt followed by the real one, does it? Won’t websites just alter their “enable notifications” fake popup to include this?
I also don’t see how this solves the “no easy undo” problem. Won’t websites just remove that element once they gain permission? Or worse, they could spoof it and fake the undo.
> I also don’t see how this solves the “no easy undo” problem. Won’t websites just remove that element once they gain permission? Or worse, they could spoof it and fake the undo.
You're describing the "no easy undo for allow" problem. Google doesn't care about that and doesn't want to fix it, since they want more of your data, not less. This element is just to have a solution to the "no easy undo for block" problem.
It's a good idea, but that complicated list of styling interactions/restrictions seems honestly ridiculous.
If the goal is to let users easily identity this element as "browser-provided", then having the element "stick out" and be distinct from the page style would sort of be the point - so I don't see why styling fonts or colors should be possible at all.
If this is not the goal, then why restrict styling at all?
In any case, I don't see how users could be educated to rules like "If the letter spacing is between 0 and 0.5 em, it's genuine, otherwise it's fake" or "the font can be normal or italic, but not bold or underlined" to distinguish genuine from fake permission elements.
I get that permitting full styling would allow all kinds of dirty tricks with overlays, strategic invisibility etc, that have to be defended against. But do they really want to play continuous whack-a-mole with all the ways styling could be exploited?
Isn't there an important reason for the permission dialog to _not_ be in the content area? I see no discussion of how this will avoid clickjacking attacks.
There are no screenshots in the linked article that show a permission modal in the middle of the viewport. The only screenshot with a modal in the viewport is a screenshot of Google Meet today without this, showing how to open the modal to reset permissions.
The permission modal that's shown intentionally overlaps the line of death, which is exactly the same as it is today
A ways down in the discussion they note that there's really two parts to the proposal: showing the permission state and triggering the permission dialog, and separately having an in-content permission dialog. The article linked here doesn't seem to touch the second part at all. That's probably wise, and it doesn't mean the proposal is DoA.
thinking how this shifts the framing of permissions from being browser-managed to site-declared. putting the intent inline means sites start shaping how consent feels, not just when it happens. that changes the surface area. the prompt becomes part of UX design, not just a browser interruption.
it's subtle, but long term it puts more pressure on users to parse trust context visually, not functionally. if every site can skin permission requests differently, consistency breaks down. user instinct gets trained on style, not source
So Chrome's just completely sidestepping `.request` being dropped for being too much of a security risk in the context of people being limited in attention, and the web being rife with abuse, then? That's how this whole thing reads to me.
What about <permission> having browser-defined UI instead?
A site needs to access the location, for example there's a button on the page, 'Show my location', which is wrapped in a <permission> tag. When the user hovers over the button, the browser UI would appear on top of the area with a lock or something (the site cannot style this UI). If the user clicks on it, it would show the usual 'Site wants to use your location', and if the user agrees, they can click on the 'Show my location' button, if they don't agree, the browser UI would be shown again on the next hover.
It would make it impossible for sites to obscure the permission-requesting UI.
These fuckers ask for location on each search query, basically on each page load.
It is annoying to operate on Firefox focus and regular Firefox on android as it has a bug I assume that does not honor per site permission disable request.
Same on Firefox desktop, it works, sometimes it does not and then the site is unusable unless you deny location on each page load. Urrrghhh
We need global default off and per site permission.
Also, would it not be easier to pass dummy coordinates like 0.00,0.00 to bypass the nag screen ?
Same for notifications. "Yeah yeah notifications are enabled. Stop bothering me" ??
Notably absent from the list of allowed CSS declarations is font-family, probably because you could abuse it to change the text on the button. While I appreciate the safety that this gives, it's going to be an annoying UX wrinkle basically in perpetuity. Especially if you're building a page with serif fonts and the browser makes your button sans serif (or vise versa).
An <intrusive type="..."/> element. It wouldn't be styled by the site except to determine whether it was visible at all and how it was positioned on the page. The element would support a dom api to query information corresponding to it's type (eg location, video, etc). The element would only provide information when it was fully visible on the page. It would display on top of every other element on the page, and wouldn't be permitted to be positioned on top of other <intrusive> elements. It would display to the user a visualization of the information being provided to the website. For example, an <intrusive type=location> element would display a map with the location the browser is giving the website being positioned on the map.
By default, if the user didn't interact with it at all, it would give the page "fake" information that doesn't require permissions to know. For example, for location, it would display the location on a map as determined by the users externally visible ip address using geoip. For video, it would display a static avatar. For audio, it would perform text to speech based on whatever is typed by the user. The element would contain a short text explaining that this is what it is doing (eg: "Location: coarse"; "Video: avatar"; etc). The user could click/tap on the element to configure what information it provides. For an <intrusive type=location>, a dialogue would be displayed suggesting the user either give "fine", or "coarse" location to the site. A preview of what the intrusive element would look like afterwards would be given for each option. The default selected option would be whatever the currently selected option is, eg "coarse" for location. There would be a button marked "continue" which would leave the current option selected. Since users often click "continue" (or "ok", or even "cancel") without thinking about what they are doing, this would cause the permission to "fail safe".
I wish the template that Google uses for all of their dev blogs had a clear date, otherwise people would have realized that this is one year old, and the origin trial has already ended.
I think that as long as the APIs for interacting with whatever each permission gives access to: camera, microphone, geo-location, etc, can't be accessed directly from HTML, a <permission> tag should not be in the spec.
Maybe they want to bring a whole lot of other elements in to allow that type of access, but I wouldn't put the carriage before the horses.
> Finally, it is too easy for users to navigate themselves into a dead-end. For example, once the user has blocked access to a feature, it requires them to be aware of the site information drop-down where they can either Reset permissions or toggle blocked permissions back on.
Yea, that's a real humdinger, if only the vendor of that software would commit some engineering resources to solve that problem.
These prompts should not be stylable and should have a standard layout for all sites. This is another cookie banner disaster in the making. This is a big step backwards.
The article says: “In its simplest form, you use it as in the following example:
<permission type="camera" />
” but this isn't how HTML works. Really, while at first glance it might seem like a good idea, this whole feature is an inconsistent mess. It's not the declarative element it's claimed to be.
Except it is declarative? The element renders a button and clicking the button (without any JavaScript) shows a browser UI for managing the permission. How is that imperative?
It's not declaring a permission: it's instructing the browser to render a button. That's like saying <button onclick="Notification.requestPermission()">Notify me!</button> is declarative.
It's declarative in that it's telling the browser to render a complete UI for showing and modifying the state of the permission. Just because there's also an imperative API that already exists doesn't mean it's not declarative. It's certainly not imperative, there's nothing imperative about it.
Moreover, it allows the user to show the browser controls for re-requesting the permission if it was previously denied, which isn't possible with the imperative API (because an imperative API can implicitly be abused).
I don’t understand this proposal enough to have an opinion yet, but that sure is an interesting way to say both Firefox and WebKit oppose it.
https://github.com/mozilla/standards-positions/issues/908#is...
https://github.com/WebKit/standards-positions/issues/270#iss...
> Security Complexity: Proposed security measures (styling constraints, timing, and position mitigation) add substantial complexity, indicating possible fundamental issues with the approach.
"Security complexity" is never something you want to see, because it will become yet another game of whack-a-mole between browser makers and hostile websites (i.e. between Chrome and Google Ads). Does anyone believe that a standard will hold up against the AdTech industry armed with the full power of HTML+CSS+JavaScript? These are the people who brought you the "Enable push notifications? Yes/Pester-me-later" pre-prompt.
Manifest 3 for example breaks adblockers for the sake of 'security', and adverts are Google's business. Passkeys are pushed for security as well (and do have benefits) but for the average person locks you into a eco-system; another business model plus for Google.
So with that in mind, how does this benefit Google at the expense of the user? Making the permissions less explicit, or less separate from the content of a site might be a net benefit to Google... I don't know.
I might also be reading way too much into motivations, and/or paranoid.
edit: also one can never be too paranoid around Google.
I learned a while back that Google Maps was moved from maps.google.com to google.com/maps so that when people gave location permission to Maps, Google Search could also use that permission.
This does not appear to be the case, at least on iOS Safari. I went to Google Maps, gave it permission, then went to Google Search and searched for “delivery near me.” It again asked me for permission.
But it’s not that locked in. You can generate new passkeys for a different password manager, so migration is more of an annoyance, if you do it gradually. Having more than one password manager for a while isn’t so bad.
No, they do not. For the vast majority they will simply require using the two major closed OSes which desire to lock the user in. Importantly the OS layer is where they will first encounter keypass, and so that is where the vast majority of keypass will happen, which is as gp said, the lock in factor.
Advanced users such as that that browse this site, will make use a password manager. Due to the extra effort involved, such users are a minority.
It's true that a lot of people who don't really think about which password manager they should use will end up using one of those by default. (Much like happens with web browsers.)
Getting the masses to use password managers regularly will greatly improve security. It would be better if more people made a deliberate choice, though.
I believe the issue Google is attempting to solve is frustration when a single web page spams multiple permissions requests. (Location, camera, microphone, advertiser tracking, notifications, privacy policy agreements, terms of service, etc…). The benefit to Google is better fingerprinting when a single sheet allows all at once.
Edit: perhaps they will sneak in a Google automatic login as a permission to smooth user interactions.
https://support.apple.com/guide/deployment/passkey-attestati...
https://arstechnica.com/security/2025/06/apple-previews-new-...
https://github.com/keepassxreboot/keepassxc/issues/10407
The goal here isn't maximizing user choice, it's to enforce minimum agreeable standards by the major vendors. It's up to you whether your personal needs wholly align with what they want to mandate, forever.
Modal permission prompts are very annoying but inline prompts will need to have styling severely limited (as they do here) to avoid nefarious use. Almost all web sites with a designer attached will end up continuing to use styled buttons that call the modal prompt when clicked. I guess this sort of works as a <noscript> equivalent for permissions… but you can’t use the majority of those permissions without JavaScript anyway.
This special class of element also feels like a maintainability nightmare for browser teams. What happens when I put a <div> on top of this prompt with pointer-events:none on it? Would be textbook example of how you could mask the prompt. I’m sure you can fix that but there must be a hundred whack a mole problems I haven’t even thought of.
So the proposal is to... put the permissions grant flow _below_ the line of death? Permissions grants _should_ break out of the untrusted context! It's a privilege escalation that only the browser (and its associated UI) should be able to grant!
[0] https://textslashplain.com/2017/01/14/the-line-of-death/
Also those dialog designs are pretty awful from a usability point of view. In terms of design they all look identical, but the buttons change meaning pretty drastically, so you have to actually read the text. It would be better if it had some kind of slider or something that showed you the three possible states and let you switch between them consistently.
That's exactly how google would describe it with some missing context added.
Whether it's an official standard by some criteria doesn't matter.
However, I also think it would be a better idea to allow these permissions to be proxied (e.g. when camera access is required, you are allowed to specify a file instead if you want to do, or any external program, etc; this can be a third option in addition to "allow" and "deny"). To be able to easily undo permissions, add a menu that you can easily alter them.
Edit: Not sure why I'm being voted down? Can someone who disagrees with my statement explain why you'd click a button with the goal of opening a modal to deny a permission when the permission is already blocked?
Basically, I expect users wil stil need a way to defend against permission spam.
If you're on a site that follows your cursor around with this button forcing you to click on it, the SITE is spam, not the permission request.
I think the point behind this is to stop websites from spamming permission popups by moving the permission prompt to page content and making the contents browser-controlled not website-controlled. I think that’s a better model, but it doesn’t really solve the annoyance of having the “fake” permission prompt followed by the real one, does it? Won’t websites just alter their “enable notifications” fake popup to include this?
I also don’t see how this solves the “no easy undo” problem. Won’t websites just remove that element once they gain permission? Or worse, they could spoof it and fake the undo.
You're describing the "no easy undo for allow" problem. Google doesn't care about that and doesn't want to fix it, since they want more of your data, not less. This element is just to have a solution to the "no easy undo for block" problem.
If the goal is to let users easily identity this element as "browser-provided", then having the element "stick out" and be distinct from the page style would sort of be the point - so I don't see why styling fonts or colors should be possible at all.
If this is not the goal, then why restrict styling at all?
In any case, I don't see how users could be educated to rules like "If the letter spacing is between 0 and 0.5 em, it's genuine, otherwise it's fake" or "the font can be normal or italic, but not bold or underlined" to distinguish genuine from fake permission elements.
I get that permitting full styling would allow all kinds of dirty tricks with overlays, strategic invisibility etc, that have to be defended against. But do they really want to play continuous whack-a-mole with all the ways styling could be exploited?
The permission modal that's shown intentionally overlaps the line of death, which is exactly the same as it is today
it's subtle, but long term it puts more pressure on users to parse trust context visually, not functionally. if every site can skin permission requests differently, consistency breaks down. user instinct gets trained on style, not source
Original fb marketplace in india.
These fuckers ask for location on each search query, basically on each page load.
It is annoying to operate on Firefox focus and regular Firefox on android as it has a bug I assume that does not honor per site permission disable request.
Same on Firefox desktop, it works, sometimes it does not and then the site is unusable unless you deny location on each page load. Urrrghhh
We need global default off and per site permission.
Also, would it not be easier to pass dummy coordinates like 0.00,0.00 to bypass the nag screen ?
Same for notifications. "Yeah yeah notifications are enabled. Stop bothering me" ??
An <intrusive type="..."/> element. It wouldn't be styled by the site except to determine whether it was visible at all and how it was positioned on the page. The element would support a dom api to query information corresponding to it's type (eg location, video, etc). The element would only provide information when it was fully visible on the page. It would display on top of every other element on the page, and wouldn't be permitted to be positioned on top of other <intrusive> elements. It would display to the user a visualization of the information being provided to the website. For example, an <intrusive type=location> element would display a map with the location the browser is giving the website being positioned on the map.
By default, if the user didn't interact with it at all, it would give the page "fake" information that doesn't require permissions to know. For example, for location, it would display the location on a map as determined by the users externally visible ip address using geoip. For video, it would display a static avatar. For audio, it would perform text to speech based on whatever is typed by the user. The element would contain a short text explaining that this is what it is doing (eg: "Location: coarse"; "Video: avatar"; etc). The user could click/tap on the element to configure what information it provides. For an <intrusive type=location>, a dialogue would be displayed suggesting the user either give "fine", or "coarse" location to the site. A preview of what the intrusive element would look like afterwards would be given for each option. The default selected option would be whatever the currently selected option is, eg "coarse" for location. There would be a button marked "continue" which would leave the current option selected. Since users often click "continue" (or "ok", or even "cancel") without thinking about what they are doing, this would cause the permission to "fail safe".
In case you got a stupid-ass machine-translated version.
Maybe they want to bring a whole lot of other elements in to allow that type of access, but I wouldn't put the carriage before the horses.
> Finally, it is too easy for users to navigate themselves into a dead-end. For example, once the user has blocked access to a feature, it requires them to be aware of the site information drop-down where they can either Reset permissions or toggle blocked permissions back on.
Yea, that's a real humdinger, if only the vendor of that software would commit some engineering resources to solve that problem.
Looks like they try to "fix" an issue that should be fixed on the browser's UI side.
Moreover, it allows the user to show the browser controls for re-requesting the permission if it was previously denied, which isn't possible with the imperative API (because an imperative API can implicitly be abused).
That's a joke, who cares....