Require user gesture for notification permission request #108
Comments
|
Seems reasonable to me. @martinthomson @beverloo @jyasskin what do you think? Would this play badly with push notifications perhaps? (Make sure to acknowledge @MattWilcox if we adopt this.) |
|
This is a variation of w3c/permissions/issues/77 which I obviously fully support. I think it has become clear to more people at Mozilla that our recent changes to make it harder to dismiss our permission prompts has made this problem even worse (as I predicted). |
|
No, this wouldn't cause any issues on the specification side. It might annoy some sites that insist on throwing up the prompt immediately after page load. Before actually deploying this, we might want to test how many sites do the bad thing we don't like. |
|
I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1402785 to get this going on Firefox. |
|
FWIW I think there is a use case for some permissions prompting on load, e.g. geolocation permission for a maps app. I think the notifications permission is a special case with no use case for prompting on load and is already being abused. I have no opinion if other permissions end up requiring a user gesture, but I only intended to affect the notifications API in this issue. |
|
See also WICG/interventions#49 (comment). |
|
Still annoying. have blocked so many websites over the year. So abused... |
|
We have been experimenting with this since earlier this year on Firefox Nightly and are seeing good results. We'll summarize and publish our findings once our final study on Release users ends (it ends in September). In almost 4 months of running this on Nightly, we have gotten exactly 0 complaints about sites not working, while we greatly increased the allow ratio. Again, this is not a final announcement, just a short progress report, with more updates coming soon. |
|
Note that this would likely also require a change in https://www.w3.org/TR/push-api/#dom-pushmanager-subscribe in addition to this spec. |
|
Sorry if this was already suggested and/or discussed, or maybe I'm late to the party 😁 . But someone in another thread mentioned that malicious website owners could show a fake prompt to get users to click/gesture, which would defeat the purpose of placing it behind a user gesture. Would it make sense to limit the notification permission request to users who have installed the website as a PWA? At that point, I'd think a user would expect the app to behave like a native one on a mobile device and be able to send push notifications. |
(This is a cross-post of this WICG post based on this suggestion)
I’ve noticed some websites ask for permission to send notifications immediately on the first visit. This is annoying, enough that guides appear showing how to turn them off. It’s also surprising that these days a website often cannot even start autoplaying media upon visiting a page - to avoid annoying users - but it can still ask for you to permanently allow the website to send you notifications at any time, which is a good channel for spam.
I can’t think of any good reason someone would click “Allow” for notifications right away, without knowing anything about the website, the kind of content it will send, and the frequency. The user has likely not even clicked or touched inside the page yet. Nobody can make a good decision at this point. It seems websites are relying on users making bad decisions: hopefully some people will click “Allow” by accident, and then the website can spam them.
Why not require a user gesture? It would block this dark pattern entirely and still allow legitimate sites to work. It seems likely to improve the user experience since even if a website shows a prompt with a button to enable notifications right away, they’d probably at least try to explain why it’s useful to do so. I suspect many sites would instead relegate the option to a less intrusive UI.
The text was updated successfully, but these errors were encountered: