Page Embedded Permission Control

Notes for TPAC 2024 breakout session

Attendees

• Penelope McLachlan (Google)
• Simon Pieters (Mozilla)
• Alexandra Reimers (Google Chrome)
• Balazs Engedy (Google Chrome)
• Nick Doty (CDT)
• Steve Becker (Microsoft)
• Rahul Singh (Microsoft)
• Christine Hollingsworth (Google Chrome)
• Christian Biesinger (Google Chrome)
• Evan Stade (Google)
• … also some Apple folks
• Wendy Seltzer

Minutes

• Presentation by Penny McLachlan : External - TPAC 2024 - PEPC Breakout

• Problems with current model

• Permissions requests often lack context
• Sites encourage users (but can be nefarious)
• Permission dialog might be distant from user’s visual focus (and missed)
• Users become blind to prompts (fatigue)
• Difficult to reverse past permission decisions, very few users succeed despite guidance by site

• Problems with current attempts at solutions

• Making prompts less interruptive resulted in a drop in grant rates and users not getting the thing they cared about done
• User gesture requirement isn’t much of a filter
• There is an effort from browsers to clean up permission grants that are too old

• Terminology: “recovery” = user moving self from less desired to more desired state
• PEPC proposal

• Holistic solution at heart: user must consciously initiate permission flow
• Details:

• HTML element i.e. directly embedded in page
• With anti-clickjacking measures
• That launches a prompt flow

• Advantages:

• Embedding solves the context problem
• Reduced prompt fatigue because prompt is always initiated by user
• Users can revisit their decisions easily (with same embedded element)

• PEPC available as origin trial in Chrome
• Origin trial early results:

• 250% increase in recovery success rate
• No regression in grant rates

• More users grant one-time flavor, considered a win

• Average time to action for permission decision reduced by 25-30%

• Open problems:

• Duplication of existing functionality (permission API, direct capability access)
• Requires site integration

• Can we keep users safe while shipping something developers will want to use? Maximal styling restrictions at the start, can be removed later if needed.

• PEPC features are mutually required (not possible to add incrementally)
• Can we use PEPC without the confirmation UI? Probably for low risk permissions or if the user has previously granted.

• Nick Doty (CDT): Questions around internationalization: in which language should this operate?

• PEPC should look like it belongs in the page where it’s embedded, confirmation UI should be in the user locale

• Discussion around whether decoupling the permission grant moment from the actual usage of the capability is abusable or may be confusing to the users

• Some capabilities like camera require extra decisions such as which device to use, which doesn’t fit nicely into the preemptive grant

• Nick: picker-style UIs for location (do you want to share current location or pick a location on a map?) might be more possible after a user had initiated location request with an in-page element
• Reverting decision can still be hard if site chooses to hide PEPC