The Web Bluetooth API asks you for permission every time. Like every new web standard like it. It's still something many users will blindly click through but at least there's that.
At least this doesn't seem to be a priority feature for Mozilla yet. MDN doesn't even have proper docs for it. So I'm a bit thankful for that, for now.
As for Facebook and the accelerometer, I'm presuming you're on Android, so you can definitely blame Google for that.
The browser should offer some kind of permission system (like with the GPS sensor) that would ask the user if a website has permissions to access the vibrate API.
I'm surprised to learn that a web site doesn't need to ask for your permission to access the Vibrate API. I think there must be a warning screen with the list of permissions the web site wants, like the ones we're getting when installing apps from app stores but with a twist so you can disable individual permissions for a web site.
In a mobile browser, this would also be not as easy as in an app because the permission would have to be requested on-demand (or on page load), if I am not mistaken.
I see how that's true of permission prompts in general, but I'm not really convinced in this case, and I'm firmly against the Firefox/Safari position here (even as a day-to-day Firefox user).
"https://example.com wants to connect to: ... Samsung 5s" -> click 'Samsung 5s' -> click 'Connect' seems fairly unambiguous to me.
I feel like any user who doesn't understand that, and who still clicks 'yes' would also merrily download and run an unprompted .exe download, or install an app from the play store, either of which is much more powerful than one Bluetooth connection, and much easier to do as an attacker.
That said, I agree this is a problem, I'd be totally on board with clearer & tighter browser permissions systems. I saw one proposal where permissions prompts weren't allowed at all, just floating icons in the address bar, so that the user must click the bluetooth icon (or other permission icon) in the address bar to even see the prompt in the first place. That's perfectly valid within the web bluetooth spec, and for sensitive permissions I'd be fine with it.
Most of these toggles will pop up a permissions dialog. Trigger enough of those, and the user will either dismiss them automatically or accept automatically.
This is not web site. It is Hybrid application. I am using push notification and gps so I need a lot of permission. I will try to reduce the permissions
thnks for your feedback
Maybe if we make a habit of it, it’ll help a little bit. I think most devs say “give me all the permissions” out of expediency, and most users say OK for the same reason.
Is there such thing as graceful degradation here? If I say yes to Location, but no to Contacts, the app should still function but the bits that need the Contacts would be unavailable.
Or, it asks for those permissions when, and only when, it needs them.
The problem is that you cannot just add a new permission and expect things to not break. The flow for requesting permissions is different and would break pretty much every website that uses these APIs.
reply