Conversation
b1tr0t
commented
Dec 19, 2023
b1tr0t
commented
- Edited for flow/readability
- Added a challenge we intend to address with PEPC (insufficiency of existing mitigations)
- Added a rejected alternative, an allow list based approach
- Edited for flow/readability - Added a challenge we intend to address with PEPC (insufficiency of existing mitigations) - Added a rejected alternative, an allow list based approach
| of the user's interaction in the content area, and the user's intent. | ||
|
|
||
|  \ | ||
| *Example 1. A notification permission prompt on a news site (contents |
There was a problem hiding this comment.
This example seems contrived... for Notifications, the API doesn't require a user gesture to request permission.
to confirm, try this in on any site via the developer console (i.e., without user activation)
Notification.requestPermission()
That's a flaw in the Notifications API (which we should fix collectively as user agents), but the notification prompt is not resulting from the user clicking - the site can show the permission prompt at any time.
There was a problem hiding this comment.
This is a real-world scenario that I've personally experienced several times. The notifications API might not require a user gesture, but for some reason it seems that some sites will request the notification permission as soon as a click happens in the page.
|
As much of the team is now out on holidays, I'll get back on this in the new year. Thanks so much for the detailed analysis! Happy holidays and new year! |
Co-authored-by: Marcos Cáceres <marcos@marcosc.com>
Co-authored-by: Marcos Cáceres <marcos@marcosc.com>
|
I have extracted the generic pieces of feedback into #8. For the rest of them, I have accepted the 2 edit suggestions and I will follow-up with another PR to cover the more involved suggestions (event names, and mentioning the time-to-interaction signal). |
3 participants
