An origin trial for a new HTML <permission> element (2024)
103 comments
·June 15, 2025madeofpalk
username223
This bit from the WebKit response hits hard for me:
> Security Complexity: Proposed security measures (styling constraints, timing, and position mitigation) add substantial complexity, indicating possible fundamental issues with the approach.
"Security complexity" is never something you want to see, because it will become yet another game of whack-a-mole between browser makers and hostile websites (i.e. between Chrome and Google Ads). Does anyone believe that a standard will hold up against the AdTech industry armed with the full power of HTML+CSS+JavaScript? These are the people who brought you the "Enable push notifications? Yes/Pester-me-later" pre-prompt.
ultiuix
[flagged]
shaky-carrousel
Google probably wants to bring the "maybe later" anti-pattern to the browser permission system:
https://tildes.net/~tech/1d9u/im_thoroughly_done_with_my_cho...
It's a reminder that Google is not a friend, but an ad-versary, and that you aren't given a free browser to happily navigate the internet, but to be milked by the ad industry.
imtringued
Considering that Chrome doesn't support getAutoplayPolicy() even though it's been 7 years since browsers decided to break autoplay for everyone, I'm pretty sure Google doesn't have any good intentions here.
If you have a website that relies on autoplay, because it is basically just one giant video element, then there is no way to detect that autoplay is blocked and fall back to a stopped video. You're forced to essentially not use autoplay at all. When autoplay is blocked you don't get an error, the autoplay events are simply disabled. You can't prove the absence of the event even with an invisible silent sound being played in the background. That's what getAutoplayPolicy() is for and guess who didn't implement it.
account-5
At face value this seems reasonable, but (and this might just be me) because its being pushed by Google I have to ask myself: what's in it for Google, and what am I missing?
Manifest 3 for example breaks adblockers for the sake of 'security', and adverts are Google's business. Passkeys are pushed for security as well (and do have benefits) but for the average person locks you into a eco-system; another business model plus for Google.
So with that in mind, how does this benefit Google at the expense of the user? Making the permissions less explicit, or less separate from the content of a site might be a net benefit to Google... I don't know.
I might also be reading way too much into motivations, and/or paranoid.
dbushell
It makes it easier for users to enable permissions, accidentally too, and thus lower security and privacy. Google products are designed to exploit that. Google probably has data showing a large number of users have disabled such permissions globally, with no easy path to trick them into opting back in. That would be the cynical view!
edit: also one can never be too paranoid around Google.
throw10920
> It makes it easier for users to enable permissions, accidentally too, and thus lower security and privacy. Google products are designed to exploit that.
I learned a while back that Google Maps was moved from maps.google.com to google.com/maps so that when people gave location permission to Maps, Google Search could also use that permission.
tanaros
> I learned a while back that Google Maps was moved from maps.google.com to google.com/maps so that when people gave location permission to Maps, Google Search could also use that permission.
This does not appear to be the case, at least on iOS Safari. I went to Google Maps, gave it permission, then went to Google Search and searched for “delivery near me.” It again asked me for permission.
LexGray
Passkey lock in appears to be a temporary issue. One of the WWDC announcements was that the FIDO alliance worked out a way to securely port passkeys between platforms. I expect Google to adopt import and export before year end.
I believe the issue Google is attempting to solve is frustration when a single web page spams multiple permissions requests. (Location, camera, microphone, advertiser tracking, notifications, privacy policy agreements, terms of service, etc…). The benefit to Google is better fingerprinting when a single sheet allows all at once.
Edit: perhaps they will sneak in a Google automatic login as a permission to smooth user interactions.
josephcsible
It's not temporary. The whole point of attestation in the passkey spec is to make lock-in permanent.
skybrian
Could you explain more? For Apple, the web page I found seems to be an enterprise thing:
https://support.apple.com/guide/deployment/passkey-attestati...
skybrian
Passkeys require a password manager, so at most, this locks you into a password manager - choose carefully!
But it’s not that locked in. You can generate new passkeys for a different password manager, so migration is more of an annoyance, if you do it gradually. Having more than one password manager for a while isn’t so bad.
politelemon
> Passkeys require a password manager
No, they do not. For the vast majority they will simply require using the two major closed OSes which desire to lock the user in. Importantly the OS layer is where they will first encounter keypass, and so that is where the vast majority of keypass will happen, which is as gp said, the lock in factor.
Advanced users such as that that browse this site, will make use a password manager. Due to the extra effort involved, such users are a minority.
skybrian
iOS and Chrome (often on Android, but not necessarily) have built-in password managers. I use both! I believe Windows has one, too.
It's true that a lot of people who don't really think about which password manager they should use will end up using one of those by default. (Much like happens with web browsers.)
Getting the masses to use password managers regularly will greatly improve security. It would be better if more people made a deliberate choice, though.
null
kalleboo
Now that the FIDO alliance transfer protocol has been hashed out, Passkey transfer has been announced to be coming in iOS/macOS 26, I assume it's also coming to the other password managers
NoMoreNicksLeft
If you already had a password manager, of what good is the passkey?
skybrian
One improvement is that they use public key cryptography, so they will never show up on Have I Been Pwned due to poor website security.
But yeah, if you use a password manager you’re probably doing better than most people.
RainyDayTmrw
I fear we're regressing.
There is a concept in browser UX design called the "line of death"[1] - the delineation between trusted browser UX and untrusted website UX. Unfortunately, because it looks ugly, every new year of visual designers further weaken its guarantees.
Here's an interesting anecdote from an earlier time. In the 2000s, back when the internet was a lot newer, and UX best practices were much less well understood, and internet users were starting to see the first big wave of "evil" websites, many of us independently discovered a surprisingly simple and surprisingly effective mitigation. If you choose a custom browser theme, preferably with bright colors, websites can't fake browser UX elements. The default theme will clearly mismatch, and websites can't guess what theme you did pick.
[1] - https://textslashplain.com/2017/01/14/the-line-of-death/
ultiuix
[flagged]
afavour
I appreciate the effort being made here but the more I think about it the more I’m convinced it’s a no-win scenario.
Modal permission prompts are very annoying but inline prompts will need to have styling severely limited (as they do here) to avoid nefarious use. Almost all web sites with a designer attached will end up continuing to use styled buttons that call the modal prompt when clicked. I guess this sort of works as a <noscript> equivalent for permissions… but you can’t use the majority of those permissions without JavaScript anyway.
This special class of element also feels like a maintainability nightmare for browser teams. What happens when I put a <div> on top of this prompt with pointer-events:none on it? Would be textbook example of how you could mask the prompt. I’m sure you can fix that but there must be a hundred whack a mole problems I haven’t even thought of.
CamouflagedKiwi
I thought I liked the idea at first when I was imagining an element with no UI that just told the browser what the page wanted - I see how that solves some of the issues they mention at first. But I don't like it as a UI element that is interacted with - the whole performance around what styling of it is allowed seems like the tip of a nasty iceberg of awkward issues and anti-patterns.
_heimdall
Agreed. The UI should be owned by the browser and entirely separate from any page UI that could be hijacked.
Robdel12
I really dislike when this happens. Completely side steps the standards process and puts forth an API that will have to be now considered since it’s in use. Chrome has done this before, too, I’m pretty sure with web components. Leading to the mess that they are.
NoahZuniga
Well, It's on an Origin Trial, so it's only "in use" for people that have explicitly turned it on. There's not much to dislike.
helixten
This is part of the standards process. Incubation happened here https://github.com/WICG/PEPC now on to Origin Trials before Standardization
JimDabell
I think that’s kinda misleading, isn’t it? You make it sound like it’s making good progress towards standardisation. They asked for feedback from other browser vendors, everybody said no, and they are shipping it anyway. Is “incubation happened, now on to origin trials before standardisation” really a suitable summary of that?
DrammBA
> “incubation happened (and we don't care what anyone said), now on to origin trials before standardisation (in chrome, and good luck if you use another browser)”
That's exactly how google would describe it with some missing context added.
d3nj4l
Well, they moved on despite both other major engine vendors having a negative position on this spec, so is the standards process really doing anything?
thaumasiotes
Yes, when people complain about what they're doing, they can say "this is just the way the standards process works".
superkuh
Standardization... also known as open washing by their employees in WHATWG.
troupo
It's not. There are now probably dozens (if not more) "standards" that are shipped in Chrome because "it's part of standards process".
Google creates an excuse of a standard proposal. Other browser vendors find major issues, or outright say "no", Google still ships the "standard".
IshKebab
Looks sensible, though I imagine it is going to be a nightmare trying to prevent click jacking, e.g. people putting elements over the top with `pointer-events: none`. There are probably a load of those attacks that are possible. Probably not too bad though because the final dialog is presumably shown above all other elements unconditionally.
Also those dialog designs are pretty awful from a usability point of view. In terms of design they all look identical, but the buttons change meaning pretty drastically, so you have to actually read the text. It would be better if it had some kind of slider or something that showed you the three possible states and let you switch between them consistently.
notnullorvoid
Can't blame Mozilla and WebKit for being against this API. Permission prompts are supposed to be controlled from outside the page so users can trust them. This proposal is very dangerous, and it's surprising Google doesn't see why.
This is the opposite direction permissions should be taking if anything they should be more prominently disconnected from the page, and browsers should improve their UI so multiple requests can be surfaced in a single prompt window.
GrantMoyer
Google's trial has "allow on every visit" and "allow this time", but "block on every visit" is conspicuously missing.
bastawhiz
If it's blocked by default and you need to interact to opt in, isn't the default "block on every visit"? The only reason it's an option now is to avoid the modal popping on every visit, which isn't a concern for this proposal.
Edit: Not sure why I'm being voted down? Can someone who disagrees with my statement explain why you'd click a button with the goal of opening a modal to deny a permission when the permission is already blocked?
GrantMoyer
It depends on how styleable the <permission> element ends up. I don't imagine any website will use it if it's limited to being an ugly default button with non-configurable text. But if the button is configurable enough, there's nothing to stop websites from abusing it for permission spam, just like the current model is.
Basically, I expect users wil stil need a way to defend against permission spam.
bastawhiz
This proposal doesn't (nor can it possibly) fix the issue of the site putting a full-viewport UI up that forces you to trigger a permission modal. That's an issue today, and it doesn't even have anything to do with permissions. See: cookie popups, newsletter popups, disable your ad blocker popups. It's impossible to avoid that problem, because the nag screen is the content of the page. Even if you block permission requests with today's options, the site can still do this to annoy you into changing your mind.
If you're on a site that follows your cursor around with this button forcing you to click on it, the SITE is spam, not the permission request.
josephcsible
We want an option that means "block, and don't let this site ask me for this permission ever again".
bastawhiz
That's the point: the site never asks for permission with this proposal. You can't opt out of asking because the UI for the proposal is explicitly opt in. What would you want such an option to do in the context of this proposal?
mbo
> Another challenge, especially on big screens, is the way the permission prompt gets commonly displayed: above the line of death[0], that is, outside of the area of the browser window that the app can draw onto.
So the proposal is to... put the permissions grant flow _below_ the line of death? Permissions grants _should_ break out of the untrusted context! It's a privilege escalation that only the browser (and its associated UI) should be able to grant!
[0] https://textslashplain.com/2017/01/14/the-line-of-death/
JimDabell
I’m not sure the linked document makes a good case for this. My initial reaction was that I didn’t understand why they made a point of it being declarative when the permission that results requires imperative code to function.
I think the point behind this is to stop websites from spamming permission popups by moving the permission prompt to page content and making the contents browser-controlled not website-controlled. I think that’s a better model, but it doesn’t really solve the annoyance of having the “fake” permission prompt followed by the real one, does it? Won’t websites just alter their “enable notifications” fake popup to include this?
I also don’t see how this solves the “no easy undo” problem. Won’t websites just remove that element once they gain permission? Or worse, they could spoof it and fake the undo.
josephcsible
> I also don’t see how this solves the “no easy undo” problem. Won’t websites just remove that element once they gain permission? Or worse, they could spoof it and fake the undo.
You're describing the "no easy undo for allow" problem. Google doesn't care about that and doesn't want to fix it, since they want more of your data, not less. This element is just to have a solution to the "no easy undo for block" problem.
blue_pants
What about <permission> having browser-defined UI instead? A site needs to access the location, for example there's a button on the page, 'Show my location', which is wrapped in a <permission> tag. When the user hovers over the button, the browser UI would appear on top of the area with a lock or something (the site cannot style this UI). If the user clicks on it, it would show the usual 'Site wants to use your location', and if the user agrees, they can click on the 'Show my location' button, if they don't agree, the browser UI would be shown again on the next hover. It would make it impossible for sites to obscure the permission-requesting UI.
2Gkashmiri
Olx.in
Original fb marketplace in india.
These fuckers ask for location on each search query, basically on each page load.
It is annoying to operate on Firefox focus and regular Firefox on android as it has a bug I assume that does not honor per site permission disable request.
Same on Firefox desktop, it works, sometimes it does not and then the site is unusable unless you deny location on each page load. Urrrghhh
We need global default off and per site permission.
Also, would it not be easier to pass dummy coordinates like 0.00,0.00 to bypass the nag screen ?
Same for notifications. "Yeah yeah notifications are enabled. Stop bothering me" ??
troupo
> These fuckers ask for location on each search query, basically on each page load.
Google's search is rapidly going in the same direction
> "Yeah yeah notifications are enabled. Stop bothering me" ??
It boggles my mind that even the "privacy conscious" browsers like Safari and Firefox don't have a "no, and never ask me again for this site".
null
> The Chrome team has also asked for formal Standards Positions from both vendors, see the Related links section. The <permission> element is an ongoing topic of discussions with other browsers and we're hoping to standardize it.
I don’t understand this proposal enough to have an opinion yet, but that sure is an interesting way to say both Firefox and WebKit oppose it.
https://github.com/mozilla/standards-positions/issues/908#is...
https://github.com/WebKit/standards-positions/issues/270#iss...