An origin trial for a new HTML <permission> element (2024)

72 tentacleuno 65 6/15/2025, 10:54:20 AM developer.chrome.com ↗

Comments (65)

madeofpalk · 4h ago

> The Chrome team has also asked for formal Standards Positions from both vendors, see the Related links section. The <permission> element is an ongoing topic of discussions with other browsers and we're hoping to standardize it.

I don’t understand this proposal enough to have an opinion yet, but that sure is an interesting way to say both Firefox and WebKit oppose it.

https://github.com/mozilla/standards-positions/issues/908#is...

https://github.com/WebKit/standards-positions/issues/270#iss...

username223 · 2h ago

This bit from the WebKit response hits hard for me:

> Security Complexity: Proposed security measures (styling constraints, timing, and position mitigation) add substantial complexity, indicating possible fundamental issues with the approach.

"Security complexity" is never something you want to see, because it will become yet another game of whack-a-mole between browser makers and hostile websites (i.e. between Chrome and Google Ads). Does anyone believe that a standard will hold up against the AdTech industry armed with the full power of HTML+CSS+JavaScript? These are the people who brought you the "Enable push notifications? Yes/Pester-me-later" pre-prompt.

skybrian · 3h ago

Maybe they don’t want to update this web page if the other vendors change their minds? They have links instead.

troupo · 1h ago

They never update web.dev pages, and often present not-even-close-to-being-standard as done deals

account-5 · 5h ago

At face value this seems reasonable, but (and this might just be me) because its being pushed by Google I have to ask myself: what's in it for Google, and what am I missing?

Manifest 3 for example breaks adblockers for the sake of 'security', and adverts are Google's business. Passkeys are pushed for security as well (and do have benefits) but for the average person locks you into a eco-system; another business model plus for Google.

So with that in mind, how does this benefit Google at the expense of the user? Making the permissions less explicit, or less separate from the content of a site might be a net benefit to Google... I don't know.

I might also be reading way too much into motivations, and/or paranoid.

dbushell · 5h ago

It makes it easier for users to enable permissions, accidentally too, and thus lower security and privacy. Google products are designed to exploit that. Google probably has data showing a large number of users have disabled such permissions globally, with no easy path to trick them into opting back in. That would be the cynical view!

edit: also one can never be too paranoid around Google.

throw10920 · 2h ago

> It makes it easier for users to enable permissions, accidentally too, and thus lower security and privacy. Google products are designed to exploit that.

I learned a while back that Google Maps was moved from maps.google.com to google.com/maps so that when people gave location permission to Maps, Google Search could also use that permission.

tanaros · 2h ago

> I learned a while back that Google Maps was moved from maps.google.com to google.com/maps so that when people gave location permission to Maps, Google Search could also use that permission.

This does not appear to be the case, at least on iOS Safari. I went to Google Maps, gave it permission, then went to Google Search and searched for “delivery near me.” It again asked me for permission.

skybrian · 3h ago

Passkeys require a password manager, so at most, this locks you into a password manager - choose carefully!

But it’s not that locked in. You can generate new passkeys for a different password manager, so migration is more of an annoyance, if you do it gradually. Having more than one password manager for a while isn’t so bad.

politelemon · 3h ago

> Passkeys require a password manager

No, they do not. For the vast majority they will simply require using the two major closed OSes which desire to lock the user in. Importantly the OS layer is where they will first encounter keypass, and so that is where the vast majority of keypass will happen, which is as gp said, the lock in factor.

Advanced users such as that that browse this site, will make use a password manager. Due to the extra effort involved, such users are a minority.

skybrian · 2h ago

iOS and Chrome (often on Android, but not necessarily) have built-in password managers. I use both! I believe Windows has one, too.

It's true that a lot of people who don't really think about which password manager they should use will end up using one of those by default. (Much like happens with web browsers.)

Getting the masses to use password managers regularly will greatly improve security. It would be better if more people made a deliberate choice, though.

LexGray · 3h ago

Passkey lock in appears to be a temporary issue. One of the WWDC announcements was that the FIDO alliance worked out a way to securely port passkeys between platforms. I expect Google to adopt import and export before year end.

I believe the issue Google is attempting to solve is frustration when a single web page spams multiple permissions requests. (Location, camera, microphone, advertiser tracking, notifications, privacy policy agreements, terms of service, etc…). The benefit to Google is better fingerprinting when a single sheet allows all at once.

Edit: perhaps they will sneak in a Google automatic login as a permission to smooth user interactions.

josephcsible · 2h ago

It's not temporary. The whole point of attestation in the passkey spec is to make lock-in permanent.

skybrian · 14m ago

Could you explain more? For Apple, the web page I found seems to be an enterprise thing:

https://support.apple.com/guide/deployment/passkey-attestati...

afavour · 5h ago

I appreciate the effort being made here but the more I think about it the more I’m convinced it’s a no-win scenario.

Modal permission prompts are very annoying but inline prompts will need to have styling severely limited (as they do here) to avoid nefarious use. Almost all web sites with a designer attached will end up continuing to use styled buttons that call the modal prompt when clicked. I guess this sort of works as a <noscript> equivalent for permissions… but you can’t use the majority of those permissions without JavaScript anyway.

This special class of element also feels like a maintainability nightmare for browser teams. What happens when I put a <div> on top of this prompt with pointer-events:none on it? Would be textbook example of how you could mask the prompt. I’m sure you can fix that but there must be a hundred whack a mole problems I haven’t even thought of.

CamouflagedKiwi · 6h ago

I thought I liked the idea at first when I was imagining an element with no UI that just told the browser what the page wanted - I see how that solves some of the issues they mention at first. But I don't like it as a UI element that is interacted with - the whole performance around what styling of it is allowed seems like the tip of a nasty iceberg of awkward issues and anti-patterns.

_heimdall · 5h ago

Agreed. The UI should be owned by the browser and entirely separate from any page UI that could be hijacked.

IshKebab · 6h ago

Looks sensible, though I imagine it is going to be a nightmare trying to prevent click jacking, e.g. people putting elements over the top with `pointer-events: none`. There are probably a load of those attacks that are possible. Probably not too bad though because the final dialog is presumably shown above all other elements unconditionally.

Also those dialog designs are pretty awful from a usability point of view. In terms of design they all look identical, but the buttons change meaning pretty drastically, so you have to actually read the text. It would be better if it had some kind of slider or something that showed you the three possible states and let you switch between them consistently.

Robdel12 · 6h ago

I really dislike when this happens. Completely side steps the standards process and puts forth an API that will have to be now considered since it’s in use. Chrome has done this before, too, I’m pretty sure with web components. Leading to the mess that they are.

helixten · 6h ago

This is part of the standards process. Incubation happened here https://github.com/WICG/PEPC now on to Origin Trials before Standardization

d3nj4l · 5h ago

Well, they moved on despite both other major engine vendors having a negative position on this spec, so is the standards process really doing anything?

thaumasiotes · 5h ago

Yes, when people complain about what they're doing, they can say "this is just the way the standards process works".

JimDabell · 5h ago

I think that’s kinda misleading, isn’t it? You make it sound like it’s making good progress towards standardisation. They asked for feedback from other browser vendors, everybody said no, and they are shipping it anyway. Is “incubation happened, now on to origin trials before standardisation” really a suitable summary of that?

DrammBA · 5h ago

> “incubation happened (and we don't care what anyone said), now on to origin trials before standardisation (in chrome, and good luck if you use another browser)”

That's exactly how google would describe it with some missing context added.

madeofpalk · 4h ago

It cannot be a standard until two browsers ship the API.

JimDabell · 1h ago

Technically, it’s not two browsers shipping it, it’s two independent implementations. Otherwise everything that Google ships as part of Blink would become a standard as soon as any one of the other Blink-based browsers (e.g. Edge) includes it.

fabrice_d · 3h ago

lol. As long as a browser with Chrome's market share ships it, it will be used.

Whether it's an official standard by some criteria doesn't matter.

superkuh · 5h ago

Standardization... also known as open washing by their employees in WHATWG.

GrantMoyer · 4h ago

Google's trial has "allow on every visit" and "allow this time", but "block on every visit" is conspicuously missing.

bastawhiz · 3h ago

If it's blocked by default and you need to interact to opt in, isn't the default "block on every visit"? The only reason it's an option now is to avoid the modal popping on every visit, which isn't a concern for this proposal.

Edit: Not sure why I'm being voted down? Can someone who disagrees with my statement explain why you'd click a button with the goal of opening a modal to deny a permission when the permission is already blocked?

GrantMoyer · 1h ago

It depends on how styleable the <permission> element ends up. I don't imagine any website will use it if it's limited to being an ugly default button with non-configurable text. But if the button is configurable enough, there's nothing to stop websites from abusing it for permission spam, just like the current model is.

Basically, I expect users wil stil need a way to defend against permission spam.

bastawhiz · 33m ago

This proposal doesn't (nor can it possibly) fix the issue of the site putting a full-viewport UI up that forces you to trigger a permission modal. That's an issue today, and it doesn't even have anything to do with permissions. See: cookie popups, newsletter popups, disable your ad blocker popups. It's impossible to avoid that problem, because the nag screen is the content of the page. Even if you block permission requests with today's options, the site can still do this to annoy you into changing your mind.

If you're on a site that follows your cursor around with this button forcing you to click on it, the SITE is spam, not the permission request.

josephcsible · 2h ago

We want an option that means "block, and don't let this site ask me for this permission ever again".

bastawhiz · 2h ago

That's the point: the site never asks for permission with this proposal. You can't opt out of asking because the UI for the proposal is explicitly opt in. What would you want such an option to do in the context of this proposal?

xg15 · 3h ago

It's a good idea, but that complicated list of styling interactions/restrictions seems honestly ridiculous.

If the goal is to let users easily identity this element as "browser-provided", then having the element "stick out" and be distinct from the page style would sort of be the point - so I don't see why styling fonts or colors should be possible at all.

If this is not the goal, then why restrict styling at all?

In any case, I don't see how users could be educated to rules like "If the letter spacing is between 0 and 0.5 em, it's genuine, otherwise it's fake" or "the font can be normal or italic, but not bold or underlined" to distinguish genuine from fake permission elements.

I get that permitting full styling would allow all kinds of dirty tricks with overlays, strategic invisibility etc, that have to be defended against. But do they really want to play continuous whack-a-mole with all the ways styling could be exploited?

cwillu · 4h ago

Isn't there an important reason for the permission dialog to _not_ be in the content area? I see no discussion of how this will avoid clickjacking attacks.

bastawhiz · 3h ago

Only the button that triggers the dialog is in the content area

Kwpolska · 3h ago

Nope, there’s a modal in the middle of the screen.

bastawhiz · 3h ago

There are no screenshots in the linked article that show a permission modal in the middle of the viewport. The only screenshot with a modal in the viewport is a screenshot of Google Meet today without this, showing how to open the modal to reset permissions.

The permission modal that's shown intentionally overlaps the line of death, which is exactly the same as it is today

Kwpolska · 2h ago

Oh, sorry, the modal discussion is in the Mozilla position, for example: https://github.com/mozilla/standards-positions/issues/908

bastawhiz · 2h ago

A ways down in the discussion they note that there's really two parts to the proposal: showing the permission state and triggering the permission dialog, and separately having an in-content permission dialog. The article linked here doesn't seem to touch the second part at all. That's probably wise, and it doesn't mean the proposal is DoA.

JimDabell · 5h ago

I’m not sure the linked document makes a good case for this. My initial reaction was that I didn’t understand why they made a point of it being declarative when the permission that results requires imperative code to function.

I think the point behind this is to stop websites from spamming permission popups by moving the permission prompt to page content and making the contents browser-controlled not website-controlled. I think that’s a better model, but it doesn’t really solve the annoyance of having the “fake” permission prompt followed by the real one, does it? Won’t websites just alter their “enable notifications” fake popup to include this?

I also don’t see how this solves the “no easy undo” problem. Won’t websites just remove that element once they gain permission? Or worse, they could spoof it and fake the undo.

josephcsible · 2h ago

> I also don’t see how this solves the “no easy undo” problem. Won’t websites just remove that element once they gain permission? Or worse, they could spoof it and fake the undo.

You're describing the "no easy undo for allow" problem. Google doesn't care about that and doesn't want to fix it, since they want more of your data, not less. This element is just to have a solution to the "no easy undo for block" problem.

b0a04gl · 3h ago

thinking how this shifts the framing of permissions from being browser-managed to site-declared. putting the intent inline means sites start shaping how consent feels, not just when it happens. that changes the surface area. the prompt becomes part of UX design, not just a browser interruption.

it's subtle, but long term it puts more pressure on users to parse trust context visually, not functionally. if every site can skin permission requests differently, consistency breaks down. user instinct gets trained on style, not source

blue_pants · 4h ago

What about <permission> having browser-defined UI instead? A site needs to access the location, for example there's a button on the page, 'Show my location', which is wrapped in a <permission> tag. When the user hovers over the button, the browser UI would appear on top of the area with a lock or something (the site cannot style this UI). If the user clicks on it, it would show the usual 'Site wants to use your location', and if the user agrees, they can click on the 'Show my location' button, if they don't agree, the browser UI would be shown again on the next hover. It would make it impossible for sites to obscure the permission-requesting UI.

2Gkashmiri · 4h ago

Olx.in

Original fb marketplace in india.

These fuckers ask for location on each search query, basically on each page load.

It is annoying to operate on Firefox focus and regular Firefox on android as it has a bug I assume that does not honor per site permission disable request.

Same on Firefox desktop, it works, sometimes it does not and then the site is unusable unless you deny location on each page load. Urrrghhh

We need global default off and per site permission.

Also, would it not be easier to pass dummy coordinates like 0.00,0.00 to bypass the nag screen ?

Same for notifications. "Yeah yeah notifications are enabled. Stop bothering me" ??

WhyNotHugo · 5h ago

This is really convenient for users. A really convenient way for them to unwittingly grant more permissions than intended.

shakna · 6h ago

So Chrome's just completely sidestepping `.request` being dropped for being too much of a security risk in the context of people being limited in attention, and the web being rife with abuse, then? That's how this whole thing reads to me.

bastawhiz · 3h ago

Notably absent from the list of allowed CSS declarations is font-family, probably because you could abuse it to change the text on the button. While I appreciate the safety that this gives, it's going to be an annoying UX wrinkle basically in perpetuity. Especially if you're building a page with serif fonts and the browser makes your button sans serif (or vise versa).

f33d5173 · 3h ago

Here's an alternative along these lines:

An <intrusive type="..."/> element. It wouldn't be styled by the site except to determine whether it was visible at all and how it was positioned on the page. The element would support a dom api to query information corresponding to it's type (eg location, video, etc). The element would only provide information when it was fully visible on the page. It would display on top of every other element on the page, and wouldn't be permitted to be positioned on top of other <intrusive> elements. It would display to the user a visualization of the information being provided to the website. For example, an <intrusive type=location> element would display a map with the location the browser is giving the website being positioned on the map.

By default, if the user didn't interact with it at all, it would give the page "fake" information that doesn't require permissions to know. For example, for location, it would display the location on a map as determined by the users externally visible ip address using geoip. For video, it would display a static avatar. For audio, it would perform text to speech based on whatever is typed by the user. The element would contain a short text explaining that this is what it is doing (eg: "Location: coarse"; "Video: avatar"; etc). The user could click/tap on the element to configure what information it provides. For an <intrusive type=location>, a dialogue would be displayed suggesting the user either give "fine", or "coarse" location to the site. A preview of what the intrusive element would look like afterwards would be given for each option. The default selected option would be whatever the currently selected option is, eg "coarse" for location. There would be a button marked "continue" which would leave the current option selected. Since users often click "continue" (or "ok", or even "cancel") without thinking about what they are doing, this would cause the permission to "fail safe".

pwdisswordfishz · 3h ago

https://developer.chrome.com/blog/permission-element-origin-...

In case you got a stupid-ass machine-translated version.

cprecioso · 2h ago

I wish the template that Google uses for all of their dev blogs had a clear date, otherwise people would have realized that this is one year old, and the origin trial has already ended.

mariusor · 2h ago

I think that as long as the APIs for interacting with whatever each permission gives access to: camera, microphone, geo-location, etc, can't be accessed directly from HTML, a <permission> tag should not be in the spec.

Maybe they want to bring a whole lot of other elements in to allow that type of access, but I wouldn't put the carriage before the horses.

grugagag · 4h ago

Its a way for Google to ensure some things will only work with Chrome. I hope it will bite them back

_Algernon_ · 3h ago

These prompts should not be stylable and should have a standard layout for all sites. This is another cookie banner disaster in the making. This is a big step backwards.

bastawhiz · 3h ago

The dialog isn't stylable, and the button that triggers the dialog has minimal styles

kijin · 5h ago

<permission> looks like only the elements inside will have access to the feature. But we all know that's not how permissions work.

runxel · 2h ago

Thanks, I hate it!

Looks like they try to "fix" an issue that should be fixed on the browser's UI side.

wizzwizz4 · 6h ago

The article says: “In its simplest form, you use it as in the following example:

  <permission type="camera" />

” but this isn't how HTML works. Really, while at first glance it might seem like a good idea, this whole feature is an inconsistent mess. It's not the declarative element it's claimed to be.

bastawhiz · 3h ago

Except it is declarative? The element renders a button and clicking the button (without any JavaScript) shows a browser UI for managing the permission. How is that imperative?

wizzwizz4 · 2m ago

It's not declaring a permission: it's instructing the browser to render a button. That's like saying <button onclick="Notification.requestPermission()">Notify me!</button> is declarative.

dist-epoch · 6h ago

What does Mozilla/W3C/WHATWG think about this?

That's a joke, who cares....

detaro · 6h ago

Webkits and Mozillas positions are linked at the bottom (they are both negative).

butz · 3h ago

Why am I supposed to give access to my camera and microphone to a text document (HTML page)?

dcgudeman · 3h ago

because it is where you go to do video conferencing.

How to Do Research (visionbook.mit.edu)

You're being lied to about protein (vox.com)

The true reason behind Aero Glass's removal from a Microsoft Engineer (2015) (old.reddit.com)

Google 'handling stolen goods' with YouTube theft of paywalled news articles (pressgazette.co.uk)

Should We Embrace Boredom? (theguardian.com)

NASA reveals that trees near volcanoes send warning signals before eruptions (elcabildo.org)

Wine 10.10 (Dev) – Run Windows Applications on Linux, BSD, Solaris and macOS (gitlab.winehq.org)

The English Programming Language (github.com)

Simplicity Matters (Rich Hickey) (github.com)

A Google Shareholder Is Suing the Company over the TikTok Ban (wired.com)

Brain implant breakthrough helps ALS man talk – and sing – again (newatlas.com)

Writing Toy Software Is a Joy (jsbarretto.com)

Marking the 20th anniversary of Steve Jobs' Stanford address (stevejobsarchive.com)

Diagnostic pen converts writing into electrical signals to detect Parkinson's (medicalxpress.com)

Apple Completes Migration of Key Service to Swift, Gains 40% Performance Uplift (infoq.com)

Cqrs.com (cqrs.com)

ESA moving ahead with 'resilience from space' satellite imaging program (spacenews.com)

The Lo-Fi Art and Human Tools Era (pketh.org)

FollowUp: My move to Netherlands is currently blocked

Scientists want to test a solar umbrella that could help fight climate change (bgr.com)

Accounting for Elevation (busgraphs.com)

I Rewrote "Fishy" in Rust → WASM → Browser. Open Source (gametorch.itch.io)

ChatGPT Search gets an upgrade as OpenAI takes aim at Google (bleepingcomputer.com)

Letter: Defense of Earth itself should be Space Job One [pdf] (archive.org)

Show HN: Urn Notice –| Build yourself an audience, without a newsletter or blog (urnnotice.com)

China achieves thorium nuclear reactor milestone based on abandoned US research (thecooldown.com)

Finding the Signal in a Service-Oriented World (medium.com)

Show HN: OpenClone – A human cloning deepfake project with infrastructure (github.com)

YouTube might slow down your videos if you block ads (pcworld.com)

Tape, glass, and molecules – the future of archival storage (theregister.com)

Influencing Shouldn't Be Professional (michigandaily.com)

Grandson of John Tyler, 10th President of the US, Died Last Month at Age 96 (msn.com)

Tesla's Optimus and the Humanoid Robot Race Nobody's Ready For (investorplace.com)

How Vercel is adaptîng SEO for LLMs (vercel.com)

Alexa von Tobel has high hopes for 'fintech 3.0' (techcrunch.com)

ESA's Nuclear Rocket: Faster Mars Missions (universetoday.com)

Be careful when browsing for browser extensions in the Chrome Web Store (chuniversiteit.nl)

Show HN: MyRephra 2 – Free, system-wide AI paraphrasing utility for macOS (idemfactor.com)

RustDesk: The Fast Open-Source Remote Access and Support Software (rustdesk.com)

Show HN: Tikt.com – Remove the "OK" from TikTok URL's to Download as MP3 or MP4 (tikt.com)

LibreTranslate/LTEngine – Open-Source Local AI Machine Translation API in Rust (github.com)

NASA sets new potential launch date for Ax-4 mission to ISS – SpaceNews (spacenews.com)

More fruit and vegetables predicts less disrupted sleep in younger adults (sleephealthjournal.org)

A Word Is Worth 4-Bit: Log Parsing with Binary Coded Decimal Recognition (arxiv.org)

Meta's latest model highlights the challenge AI faces in long-term planning (the-decoder.com)

Pinstr: Decentralized and Free Pinterest Clone (github.com)

Pitfalls of premature closure with LLM assisted coding (shayon.dev)

Nurse practitioners step in as geriatrician ranks shrink (washingtonpost.com)

Next.js Starter Template 2.0 (next-starter-skolaczk.vercel.app)

About Feeds (aboutfeeds.com)

An origin trial for a new HTML <permission> element (2024)

Comments (65)