The similar <geolocation> element has clickjacking prevention enforced by the browser[0], and even if the website finds a way around it, it still shows the normal permission prompt.[1]
The immediate thought is re-prompt spam, for eternity, even with an appropriate signal sent from the user agent. This is the same as cookie banners - keep flushing the cookies after each session if the user agent doesn’t accept and wait until they do.
It’s a techbros wet dream on consent. Just keep asking until they say yes.
How do you see it being abused?
"Press here to view the content", there's already plenty in the wild that grant access to notifications with deceptive buttons.
The similar <geolocation> element has clickjacking prevention enforced by the browser[0], and even if the website finds a way around it, it still shows the normal permission prompt.[1]
[0]: https://developer.mozilla.org/en-US/docs/Web/API/HTMLGeoloca...
[1]: https://mdn.github.io/dom-examples/geolocation-element/basic... (requires Chromium)
2 replies →
“targeted and functional controls for accessing camera and microphone streams”
The immediate thought is re-prompt spam, for eternity, even with an appropriate signal sent from the user agent. This is the same as cookie banners - keep flushing the cookies after each session if the user agent doesn’t accept and wait until they do.
It’s a techbros wet dream on consent. Just keep asking until they say yes.
But it’s only showing a button and then the prompt when you click the button. Unless you click the button, it can’t spam you with permissions.
2 replies →