Page Embedded Permission Control
Notes for TPAC 2024 breakout session
Attendees
- Penelope McLachlan (Google)
- Simon Pieters (Mozilla)
- Alexandra Reimers (Google Chrome)
- Balazs Engedy (Google Chrome)
- Nick Doty (CDT)
- Steve Becker (Microsoft)
- Rahul Singh (Microsoft)
- Christine Hollingsworth (Google Chrome)
- Christian Biesinger (Google Chrome)
- Evan Stade (Google)
- … also some Apple folks
- Wendy Seltzer
Minutes
- Problems with current model
- Permissions requests often lack context
- Sites encourage users (but can be nefarious)
- Permission dialog might be distant from user’s visual focus (and missed)
- Users become blind to prompts (fatigue)
- Difficult to reverse past permission decisions, very few users succeed despite guidance by site
- Problems with current attempts at solutions
- Making prompts less interruptive resulted in a drop in grant rates and users not getting the thing they cared about done
- User gesture requirement isn’t much of a filter
- There is an effort from browsers to clean up permission grants that are too old
- Terminology: “recovery” = user moving self from less desired to more desired state
- PEPC proposal
- Holistic solution at heart: user must consciously initiate permission flow
- Details:
- HTML element i.e. directly embedded in page
- With anti-clickjacking measures
- That launches a prompt flow
- Embedding solves the context problem
- Reduced prompt fatigue because prompt is always initiated by user
- Users can revisit their decisions easily (with same embedded element)
- PEPC available as origin trial in Chrome
- Origin trial early results:
- 250% increase in recovery success rate
- No regression in grant rates
- More users grant one-time flavor, considered a win
- Average time to action for permission decision reduced by 25-30%
- Duplication of existing functionality (permission API, direct capability access)
- Requires site integration
- Can we keep users safe while shipping something developers will want to use? Maximal styling restrictions at the start, can be removed later if needed.
- PEPC features are mutually required (not possible to add incrementally)
- Can we use PEPC without the confirmation UI? Probably for low risk permissions or if the user has previously granted.
- Nick Doty (CDT): Questions around internationalization: in which language should this operate?
- PEPC should look like it belongs in the page where it’s embedded, confirmation UI should be in the user locale
- Discussion around whether decoupling the permission grant moment from the actual usage of the capability is abusable or may be confusing to the users
- Some capabilities like camera require extra decisions such as which device to use, which doesn’t fit nicely into the preemptive grant
- Nick: picker-style UIs for location (do you want to share current location or pick a location on a map?) might be more possible after a user had initiated location request with an in-page element
- Reverting decision can still be hard if site chooses to hide PEPC