Permissions

Interacting with Permissions for Powerful Features

W3C Editor's Draft

More details about this document
This version:
https://w3c.github.io/permissions/
Latest published version:
https://www.w3.org/TR/permissions/
Latest editor's draft:
https://w3c.github.io/permissions/
History:
Commit history
Editors:
Marcos Cáceres (Apple Inc.)
Mike Taylor (Google LLC)
Former editors:
Mounir Lamouri (Google LLC)
Jeffrey Yasskin (Google LLC)
Feedback:
GitHub w3c/permissions (pull requests, new issue, open issues)
Browser support:
Chrome logo43
Edge logo79
Firefox logo46
Safari logo16.0
desktop
Android Chrome logo122
Android Firefox logo123
Android UC logo15.5
iOS Safari logo16.0
Samsung Internet logo4
mobile
More info

Abstract

This specification defines common infrastructure that other specifications can use to interact with browser permissions. These permissions represent a user's choice to allow or deny access to "powerful features" of the platform. For developers, the specification standardizes an API to query the permission state of a powerful feature, and be notified if a permission to use a powerful feature changes state.

Status of This Document

This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

This is a work in progress.

This document was published by the Web Application Security Working Group as an Editor's Draft.

Publication as an Editor's Draft does not imply endorsement by W3C and its Members.

This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 2 November 2021 W3C Process Document.

1. Introduction

This section is non-normative.

Specifications can define features that are explicitly identified as a powerful feature. These features are said to be "powerful" in that they can have significant privacy, security, and performance implications. As such, users rely on user agents to deny sites the ability to use these features until they have given express permission, and usually only granting this ability for a limited amount of time. Express permission to allow a site to use a powerful feature is generally given and controlled through browser UI, as illustrated below.

On the left, a mockup of a notifications prompt with an allow and don't allow buttons that states 'the website example.com would like to send you notifications'. On the right, a prompt near the URL bar asking to give permission to the camera and microphone to the example site.
Figure 1 Sketches of possible permission prompt types

In this sense, a permission represents the current state of user consent for certain types of features, and particularly "powerful features". Ultimately the user retains control of these permissions and have the ability to manually grant or deny permissions through user preferences. Further, user agents assist users in managing permissions by, for example, hiding and automatically denying certain permission prompts that would otherwise be a nuisance, and automatically expiring granted permissions if a user doesn't visit a website for some time.

A mockup of a settings page that would allow a user to set or reset defaults for location, camera, microphone, motion sensors, and notifications permissions.
Figure 2 A sketch of a possible site-specific permissions controls UI

2. Examples of usage

This section is non-normative.

This example uses the Permissions API to decide whether local news should be shown using the Geolocation API or with a button offering to add the feature.

Example 1: Using .state attribute
const { state } = await navigator.permissions.query({
  name: "geolocation"
});
switch (state) {
  case "granted":
    showLocalNewsWithGeolocation();
    break;
  case "prompt":
    showButtonToEnableLocalNews();
    break;
  case "denied":
    showNationalNews();
    break;
}

This example simultaneously checks the state of the "geolocation" and "notifications" powerful features:

Example 2: Checking the state of multiple permissions
const queryPromises = ["geolocation", "notifications"].map(
  name => navigator.permissions.query({ name })
);
for await (const status of queryPromises) {
  console.log(`${status.name}: ${status.state}`);
}

This example is checking the permission state of the available cameras.

Example 3: Checking permission state of multiple cameras
const devices = await navigator.mediaDevices.enumerateDevices();

// filter on video inputs, and map to query object
const queries = devices
  .filter(({ kind }) => kind === "videoinput")
  .map(({ deviceId }) => ({ name: "camera", deviceId }));

const promises = queries.map((queryObj) =>
  navigator.permissions.query(queryObj)
);

try {
  const results = await Promise.all(promises);
  // log the state of each camera
  results.forEach(({ state }, i) => console.log("Camera", i, state));
} catch (error) {
  console.error(error);
}

3. Model

This section specifies a model for permissions to use powerful features on the Web platform.

3.1 Permissions

A permission represents a user's decision to allow a web application to use a powerful feature. This decision is represented as a permission state.

Express permission refers to the user granting the web application the ability to use a powerful feature.

Note: Limitations and extensibility

Conceptually, a permission for a powerful feature can be in one of the following states:

"denied":
The user, or the user agent on the user's behalf, has denied access to this powerful feature. The caller will can't use the feature.
"granted":
The user, or the user agent on the user's behalf, has given express permission to use a powerful feature. The caller will can use the feature possibly without having the user agent asking the user's permission.
"prompt":
The user has not given express permission to use the feature (i.e., it's the same as "denied"). It also means that if a caller attempts to use the feature, the user agent will either be prompting the user for permission or access to the feature will be "denied".

To ascertain new information about the user's intent, a user agent MAY collect and interpret information about a user's intentions. This information can come from explicit user action, aggregate behavior of both the relevant user and other users, or implicit signals this specification hasn't anticipated.

Note: What constitutes an implicit signal?

Every permission has a lifetime, which is the duration for which a particular permission remains "granted" before it reverts back to its default state. A lifetime could be until a particular Realm is destroyed, until a particular top-level browsing context is destroyed, a particular amount of time, or be infinite. The lifetime is negotiated between the end-user and the user agent when the user gives express permission to use a feature—usually via some permission UI or user-agent defined policy.

Every permission has a default state (usually "prompt"), which is the state that the permission is in when the user has not yet given express permission to use the feature or it has been reset because its lifetime has expired.

3.2 Permission Store

The user agent maintains a single permission store which is a list of permission store entries. Each particular entry denoted by its descriptor and key can only appear at most once in this list.

The user agent MAY remove entries from the permission store when their respective permission's lifetime has expired.

A permission store entry is a tuple of PermissionDescriptor descriptor, permission key key, and state state.

To get a permission store entry given a PermissionDescriptor descriptor and permission key key:

  1. If the user agent's permission store contains an entry whose descriptor is descriptor, and whose key is equal to key given descriptor, return that entry.
  2. Return null.

To set a permission store entry given a PermissionDescriptor descriptor, a permission key key, and a state state, run these steps:

  1. Let newEntry be a new permission store entry whose descriptor is descriptor, and whose key is key, and whose state is state.
  2. If the user agent's permission store contains an entry whose descriptor is descriptor, and whose key is equal to key given descriptor, replace that entry with newEntry and abort these steps.
  3. Append newEntry to the user agent's permission store.

To remove a permission store entry given a PermissionDescriptor descriptor and permission key key, run these steps:

  1. Remove the entry whose descriptor is descriptor, and whose key is equal to key given descriptor, from the user agent's permission store.

A permission key has its type defined by a feature's permission key type.

Note

To determine whether a permission key key1 is equal to a permission key key2, given a PermissionDescriptor descriptor, run the following steps:

  1. If key1 is not of descriptor's permission key type or key2 is not of descriptor's permission key type, return false.
  2. Return the result of running the permission key comparison algorithm for the feature named by descriptor's name, passing key1 and key2.

3.3 Powerful features

A powerful feature is a web platform feature (usually an API) for which a user gives express permission before the feature can be used. Except for a few notable exceptions (e.g., the Notifications API Standard), most powerful features are also policy-controlled features. For powerful features that are also policy-controlled features, [Permissions-Policy] controls whether a document is allowed to use a given feature. That is, a powerful feature can only request express permission from a user if the document has permission delegated to it via the corresponding policy-controlled feature (see example below). Subsequent access to the feature is determined by the user having "granted" permission, or by satisfying some criteria that is equivalent to a permission grant.

A powerful feature is identified by its name, which is a string literal (e.g., "geolocation").

The user agent tracks which powerful features the user has permission to use via the environment settings object.

3.3.1 Aspects

Each powerful feature can define zero or more additional aspects. An aspect is defined as WebIDL dictionary that inherits from PermissionDescriptor and serves as a WebIDL interface's permission descriptor type.

3.4 Permissions task source

The permissions task source is a task source used to perform permissions-related tasks in this specification.

4. Specifying a powerful feature

When a conforming specification specifies a powerful feature it:

  1. MUST give the powerful feature a name in the form of a ascii lowercase string.
  2. MAY define a permission descriptor type that inherits from PermissionDescriptor.
  3. MAY define zero or more aspects.
  4. MAY override the algorithms and types given below if the defaults are not suitable for a particular powerful feature.
  5. MUST register the powerful feature in the Permissions Registry.

Registering the newly specified powerful features in the Permissions Registry gives this Working Group an opportunity to provide feedback and check that integration with this specification is done effectively.

A permission descriptor type:

PermissionDescriptor or one of its subtypes. If unspecified, this defaults to PermissionDescriptor.

The feature can define a partial order on descriptor instances. If descriptorA is stronger than descriptorB, then if descriptorA's permission state is "granted", descriptorB's permission state must also be "granted", and if descriptorB's permission state is "denied", descriptorA's permission state must also be "denied".

permission state constraints:
Constraints on the values that the user agent can return as a descriptor's permission state. Defaults to no constraints beyond the user's intent.
extra permission data type:

Some powerful features have more information associated with them than just a PermissionState. Each of these features defines an extra permission data type.

Note

For example, getUserMedia() needs to determine which cameras the user has granted permission to access.

If a DOMString name names one of these features, then name's extra permission data for an optional environment settings object settings is the result of the following algorithm:

  1. If settings wasn't passed, set it to the current settings object.
  2. If there was a previous invocation of this algorithm with the same name and settings, returning previousResult, and the user agent has not received new information about the user's intent since that invocation, return previousResult.
  3. Return the instance of name's extra permission data type that matches the UA's impression of the user's intent, taking into account any extra permission data constraints for name.

If specified, the extra permission data algorithm is usable for this feature.

Optional extra permission data constraints:
Constraints on the values that the user agent can return as a powerful feature's extra permission data. Defaults to no constraints beyond the user's intent.
A permission result type:
PermissionStatus or one of its subtypes. If unspecified, this defaults to PermissionStatus.
A permission query algorithm:

Takes an instance of the permission descriptor type and a new or existing instance of the permission result type, and updates the permission result type instance with the query result. Used by Permissions' query(permissionDesc) method and the PermissionStatus update steps. If unspecified, this defaults to the default permission query algorithm.

The default permission query algorithm, given a PermissionDescriptor permissionDesc and a PermissionStatus status, runs the following steps:

  1. Set status's state to permissionDesc's permission state.
A permission key type:

The type of permission key used by the feature. Defaults to origin. A feature that specifies a custom permission key type MUST also specify a permission key generation algorithm.

A permission key generation algorithm:

Takes an environment settings object, and returns a new permission key. If unspecified, this defaults to the default permission key generation algorithm. A feature that specifies a custom permission key generation algorithm MUST also specify a permission key comparison algorithm.

The default permission key generation algorithm, given an environment settings object settings, runs the following steps:

  1. Return settings's top-level origin.
Note: Permission Delegation
A permission key comparison algorithm:

Takes two permission keys and returns a boolean that shows whether the two keys are equal. If unspecified, this defaults to the default permission key comparison algorithm.

The default permission key comparison algorithm, given permission keys key1 and key2, runs the following steps:

  1. Return key1 is same origin with key2.
A permission revocation algorithm:

Takes no arguments. Updates any other parts of the implementation that need to be kept in sync with changes in the results of permission states or extra permission data.

If unspecified, this defaults to running react to the user revoking permission.

A permission lifetime:

Specifications that define one or more powerful features SHOULD suggest a permission lifetime that is best suited for the particular feature. Some guidance on determining the lifetime of a permission is noted below, with a strong emphasis on user privacy. If no lifetime is specified, the user agent provides one.

When the permission lifetime expires for an origin:

  1. Set the permission back to its default permission state (e.g., by setting it back to "prompt").
  2. For each browsing context associated with the origin (if any), queue a global task on the permissions task source with the browsing context's global object to run the permission revocation algorithm.
Note: Determining the lifetime of a permission
Default permission state:

An PermissionState value that serves as a permission's default state of a powerful feature.

If not specified, the permission's default state is "prompt".

A default powerful feature is a powerful feature with all of the above types and algorithms defaulted.

5. Algorithms to interface with permissions

5.1 Reading the current permission state

To get the current permission state, given a name name and an optional environment settings object settings, run the following steps. This algorithm returns a PermissionState enum value.

  1. Let descriptor be a newly-created PermissionDescriptor with name initialized to name.
  2. Return the permission state of descriptor with settings.

A descriptor's permission state, given an optional environment settings object settings is the result of the following algorithm. It returns a PermissionState enum value:

  1. If settings wasn't passed, set it to the current settings object.
  2. If settings is a non-secure context, return "denied".
  3. Let feature be descriptor's name.
  4. If there exists a policy-controlled feature for feature and settings' relevant global object has an associated Document run the following step:
    1. Let document be settings' relevant global object's associated Document.
    2. If document is not allowed to use feature, return "denied".
  5. Let key be the result of generating a permission key for descriptor with settings.
  6. Let entry be the result of getting a permission store entry with descriptor and key.
  7. If entry is not null, return a PermissionState enum value from entry's state.
  8. Return the PermissionState enum value that represents the permission state of feature, taking into account any permission state constraints for descriptor's name.

As a shorthand, a DOMString name's permission state is the permission state of a PermissionDescriptor with its name member set to name.

5.2 Requesting permission to use a powerful feature

To request permission to use a descriptor, the user agent must perform the following steps. This algorithm returns either "granted" or "denied".

  1. Let current state be the descriptor's permission state.
  2. If current state is not "prompt", return current state and abort these steps.
  3. Ask the user for express permission for the calling algorithm to use the powerful feature described by descriptor.
  4. If the user gives express permission to use the powerful feature, set current state to "granted"; otherwise to "denied". The user's interaction may provide new information about the user's intent for the origin.
    Note

    This is intentionally vague about the details of the permission UI and how the user agent infers user intent. User agents should be able to explore lots of UI within this framework.

  5. Let key be the result of generating a permission key with the current settings object.
  6. Queue a task on the current settings object's responsible event loop to set a permission store entry with descriptor, key, and current state.
  7. Return current state.

As a shorthand, requesting permission to use a DOMString name, is the same as requesting permission to use a PermissionDescriptor with its name member set to name.

5.3 Prompt the user to choose

To prompt the user to choose one or more options associated with a given descriptor and an optional boolean allowMultiple (default false), the user agent must perform the following steps. This algorithm returns either "denied" or the user's selection.

  1. If descriptor's permission state is "denied", return "denied" and abort these steps.
  2. If descriptor's permission state is "granted", the user agent may return one (or more if allowMultiple is true) of options chosen by the user and abort these steps. If the user agent returns without prompting, then subsequent prompts for the user to choose from the same set of options with the same descriptor must return the same option(s), unless the user agent receives new information about the user's intent.
  3. Ask the user to choose one or more options or deny permission, and wait for them to choose:
    1. If the calling algorithm specified extra information to include in the prompt, include it.
    2. If allowMultiple is false, restrict selection to a single item from options; otherwise, any number may be selected by the user.
  4. If the user chose one or more options, return them; otherwise return "denied".
    Note

    This is intentionally vague about the details of the permission UI and how the user agent infers user intent. User agents should be able to explore lots of UI within this framework (e.g., a permission prompt could time out and automatically return "denied" without the user making an explicit selection).

As a shorthand, prompting the user to choose from options associated with a DOMString name, is the same as prompting the user to choose from those options associated with a PermissionDescriptor with its name member set to name.

5.4 Reacting to users revoking permission

When the user agent learns that the user no longer intends to grant permission to use a feature described by the PermissionDescriptor descriptor in the context described by the permission key key, react to the user revoking permission by running these steps:

  1. Run descriptor's name's permission revocation algorithm.
  2. Remove a permission store entry with descriptor and key.

6. Permissions API

WebIDL[Exposed=(Window)]
partial interface Navigator {
  [SameObject] readonly attribute Permissions permissions;
};

[Exposed=(Worker)]
partial interface WorkerNavigator {
  [SameObject] readonly attribute Permissions permissions;
};

6.2 Permissions interface

WebIDL[Exposed=(Window,Worker)]
interface Permissions {
  Promise<PermissionStatus> query(object permissionDesc);
};

dictionary PermissionDescriptor {
  required DOMString name;
};

6.2.1 query() method

When the query() method is invoked, the user agent MUST run the following query a permission algorithm, passing the parameter permissionDesc:

  1. If this's relevant global object is a Window object, then:
    1. If the current settings object's associated Document is not fully active, return a promise rejected with an "InvalidStateError" DOMException.
  2. Let rootDesc be the object permissionDesc refers to, converted to an IDL value of type PermissionDescriptor.
  3. If the conversion throws an exception, return a promise rejected with that exception.
  4. If rootDesc["name"] is not supported, return a promise rejected with a TypeError.
    Note: Why is this not an enum?
  5. Let typedDescriptor be the object permissionDesc refers to, converted to an IDL value of rootDesc's name's permission descriptor type.
  6. If the conversion throws an exception, return a promise rejected with that exception.
  7. Let promise be a new promise.
  8. Return promise and continue in parallel:
    1. Let status be create a PermissionStatus with typedDescriptor.
    2. Let query be status's [[query]] internal slot.
    3. Run query's name's permission query algorithm, passing query and status.
    4. Queue a global task on the permissions task source with this's relevant global object to resolve promise with status.

6.3 PermissionStatus interface

WebIDL[Exposed=(Window,Worker)]
interface PermissionStatus : EventTarget {
  readonly attribute PermissionState state;
  readonly attribute DOMString name;
  attribute EventHandler onchange;
};

enum PermissionState {
  "granted",
  "denied",
  "prompt",
};

PermissionStatus instances are created with a [[query]] internal slot, which is an instance of a feature's permission descriptor type.

The "granted", "denied", and "prompt" enum values represent the concepts of "granted", "denied", and "prompt" respectively.

6.3.1 Creating instances

To create a PermissionStatus for a given PermissionDescriptor permissionDesc:

  1. Let name be permissionDesc's name.
  2. Assert: The feature identified by name is supported by the user agent.
  3. Let status be a new instance of the permission result type identified by name:
    1. Initialize status's [[query]] internal slot to permissionDesc.
    2. Initialize status's name to name.
  4. Return status.

6.3.2 name attribute

The name attribute returns the value it was initialized to.

6.3.3 state attribute

The state attribute returns the latest value that was set on the current instance.

6.3.4 onchange attribute

The onchange attribute is an event handler whose corresponding event handler event type is change.

Whenever the user agent is aware that the state of a PermissionStatus instance status has changed, it asynchronously runs the PermissionStatus update steps:

  1. If this's relevant global object is a Window object, then:
    1. Let document be status's relevant global object's associated Document.
    2. If document is null or document is not fully active, terminate this algorithm.
  2. Let query be status's [[query]] internal slot.
  3. Run query's name's permission query algorithm, passing query and status.
  4. Queue a task on the permissions task source to fire an event named change at status.

6.3.5 Garbage collection

A PermissionStatus object MUST NOT be garbage collected if it has an event listener whose type is change.

7. Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY, MUST, MUST NOT, OPTIONAL, and SHOULD in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Two classes of product can claim conformance to this specification: user agents and other specifications (i.e., a technical report that specifies a powerful feature in a manner that conforms to the requirements of this specification).

A. Relationship to the Permissions Policy specification

This section is non-normative.

Although both this specification and the Permissions Policy specification deal with "permissions", each specification serves a distinct purpose in the platform. Nevertheless, the two specifications do explicitly overlap.

On the one hand, this specification exclusively concerns itself with powerful features whose access is managed through a user-agent mediated permissions UI (i.e., permissions where the user gives express consent before that feature can be used, and where the user retains the ability to deny that permission at any time for any reason). These powerful features are registered in the Permissions Registry.

On the other hand, the Permissions Policy specification allows developers to selectively enable and disable policy-controlled features through a "permissions policy" (be it a HTTP header or the allow attribute). In that sense, the Permissions Policy subsumes this specification in that Permissions Policy governs whether a feature is available at all, independently of this specification. These policy-controlled features are also registered in the Permissions Registry.

A powerful feature that has been disabled by the Permissions Policy specification always has its permission state reflected as "denied" by this specification. This occurs because reading the current permission relies on [HTML]'s "allowed to use" check, which itself calls into the Permissions Policy specification. Important to note here is the sharing of permission names across both specifications. Both this specification and the Permissions Policy specification rely on other specifications defining the names of the permission and name, and they are usually named the same thing (e.g., "geolocation" of the Geolocation API, and so on).

Finally, it's not possible for a powerful feature to ever become "granted" through any means provided by the Permissions Policy specification. The only way that a powerful feature can be "granted" is by the user giving express permission or by some user agent policy.

B. Automated testing

For the purposes of user-agent automation and application testing, this document defines extensions to the [WebDriver] and [WebDriver-BiDi] specifications. It is OPTIONAL for a user agent to support them.

WebIDLdictionary PermissionSetParameters {
  required object descriptor;
  required PermissionState state;
};

To set a permission given a PermissionDescriptor descriptor, a PermissionState state, an optional origin, and an optional user agent:

  1. Let target origin be current settings object's origin if origin is null, or origin otherwise.
  2. Let targets be a list containing all environment settings objects whose origin is same origin with target origin, and which belong to the user agent if provided, or all user agents otherwise.
  3. Let tasks be an empty list.
  4. For each environment settings object target in targets:
    1. Queue a task task on the permissions task source of target's relevant settings object's global object's browsing context to perform the following step:
      1. Interpret state as if it were the result of an invocation of permission state for descriptor with the argument target made at this moment.
    2. Append task to tasks.
  5. Wait for all tasks in tasks to have executed and return.

B.1 Automated testing with [WebDriver]

This document defines the following extension commands for the [WebDriver] specification.

B.1.1 Set Permission

HTTP Method URI Template
POST /session/{session id}/permissions

The Set Permission extension command simulates user modification of a PermissionDescriptor's permission state.

The remote end steps are:

  1. Let parametersDict be the parameters argument, converted to an IDL value of type PermissionSetParameters. If this throws an exception, return an invalid argument error.
  2. If parametersDict.state is an inappropriate permission state for any implementation-defined reason, return an invalid argument error.
    Note

    For example, user agents that define the "midi" powerful feature as "always on" can choose to reject a command to set the permission state to "denied" at this step.

  3. Let rootDesc be parametersDict.descriptor.
  4. Let typedDescriptor be the object rootDesc refers to, converted to an IDL value of permission descriptor type matching the result of Get(rootDesc, "name"). If this throws an exception, return a invalid argument error.
  5. Set a permission with typedDescriptor and parametersDict.state.
  6. Return success with data null.

B.2 Automated testing with [WebDriver-BiDi]

This document defines the following extension modules for the [WebDriver-BiDi] specification.

B.2.1 The permissions Module

The permissions module contains commands for managing the remote end browser permissions.

B.2.1.1 Definition

remote end definition

PermissionsCommand = (
  permissions.setPermission
)
B.2.1.2 Types
B.2.1.2.1 The permissions.PermissionDescriptor Type
permissions.PermissionDescriptor = {
  name: text,
}

The permissions.PermissionDescriptor type represents a PermissionDescriptor.

B.2.1.2.2 The permissions.PermissionState Type
permissions.PermissionState = "granted" / "denied" / "prompt"

The permissions.PermissionState type represents a PermissionState.

B.2.1.3 Commands
B.2.1.3.1 The permissions.setPermission Command

The Set Permission command simulates user modification of a PermissionDescriptor's permission state.

Command Type
permissions.setPermission = (
  method: "permissions.setPermission",
  params: permissions.SetPermissionParameters
)

permissions.SetPermissionParameters = {
  descriptor: permissions.PermissionDescriptor,
  state: permissions.PermissionState,
  origin: text,
  ? userContext: text,
}
Result Type
EmptyResult

The remote end steps with session and command parameters are:

  1. Let descriptor be the value of the descriptor field of command parameters.
  2. Let permission name be the value of the name field of descriptor representing name.
  3. Let state be the value of the state field of command parameters.
  4. Let user context id be the value of the userContext field of command parameters, if present, and default otherwise.
  5. If state is an inappropriate permission state for any implementation-defined reason, return error with error code invalid argument.
  6. Let typedDescriptor be the object descriptor refers to, converted to an IDL value (descriptor, state) of PermissionSetParameters permission name's permission descriptor type. If this conversion throws an exception, return error with error code invalid argument.
  7. Let origin be the value of the origin field of command parameters.
  8. Let user agent be the user agent that represents the user context with the id user context id.
  9. Set a permission with typedDescriptor, state, origin, and user agent.
  10. Return success with data null.

C. Permissions Registry

This section is non-normative.

C.1 Purpose

This W3C Registry provides a centralized place to find the policy-controlled features and/or powerful features of the web platform. Through the change process it also helps assure permissions in the platform are consistently specified across various specifications.

By splitting the registry into standardized permissions and provisional permissions, the registry also provides a way to track the status of these features.

C.2 Change Process

The change process for adding and/or updating this registry is as follows:

  1. If necessary, add a "Permissions Policy" section to your specification which includes the following:
    1. The string that identifies the policy controlled feature (e.g., "super-awesome"). Make sure the string is linkable by wrapping it a dfn element.
    2. The default allowlist value (e.g. 'self').
  2. Determine if your feature meets the definition of a powerful feature (i.e., requires express permission to be used). If it does:
    1. Specify a powerful feature in your specification in conformance with the Permissions specification.
  3. Modify either the table of standardized permissions or the table of provisional permissions filling out each column with the required information.
  4. Submit a pull request to the Powerful Features Registry Repository on GitHub with your changes. The maintainers of the repository will review your pull request and check that everything integrates properly.

C.3 Registry table of standardized permissions

For a permission to appear in the table of standardized permissions, and thus be considered a standardized permission, it needs to meet the following criteria:

Each permission is identified by a unique literal string. In the case of Permissions Policy, the string identifies a policy-controlled features. Similarly, in the Permissions specification the string identifies a powerful feature.

Note: Permissions and Permissions Policy
Table of standardized permissions of the web platform
Identifying string Is policy-controlled feature? Is powerful feature? Specification Implementations
Chromium Gecko WebKit
"geolocation" YES YES Geolocation API YES YES YES
"notifications" NO YES Notifications API Standard YES YES YES
"push" NO YES Push API YES YES YES
"web-share" YES NO Web Share API YES YES YES

C.4 Registry table of provisional permissions

Provisional permissions are permissions that are not yet standardized (i.e., they are either experimental, still in the incubation phase, or are only implemented in a single browser engine).

Table of provisional permissions
Identifying string Is policy-controlled feature? Is powerful feature? Specification Implementations
Chromium Gecko WebKit
"accelerometer" YES YES DeviceOrientation Event Specification YES NO NO
"window-management" YES YES Window Management YES NO NO
"local-fonts" YES YES Local Font Access YES NO NO

D. Privacy considerations

An adversary could use a permission state as an element in creating a "fingerprint" corresponding to an end-user. Although an adversary can already determine the state of a permission by actually using the API, that often leads to a UI prompt being presented to the end-user (if the permission was not already "granted"). Even though this API doesn't expose new fingerprinting information to websites, it makes it easier for an adversary to have discreet access to this information.

A user agent SHOULD provide a means for the user to review, update, and reset the permission state of powerful features associated with an origin.

E. Security considerations

There are no documented security considerations at this time. Readers are instead encouraged to read section D. Privacy considerations.

F. IDL Index

WebIDL[Exposed=(Window)]
partial interface Navigator {
  [SameObject] readonly attribute Permissions permissions;
};

[Exposed=(Worker)]
partial interface WorkerNavigator {
  [SameObject] readonly attribute Permissions permissions;
};

[Exposed=(Window,Worker)]
interface Permissions {
  Promise<PermissionStatus> query(object permissionDesc);
};

dictionary PermissionDescriptor {
  required DOMString name;
};

[Exposed=(Window,Worker)]
interface PermissionStatus : EventTarget {
  readonly attribute PermissionState state;
  readonly attribute DOMString name;
  attribute EventHandler onchange;
};

enum PermissionState {
  "granted",
  "denied",
  "prompt",
};

dictionary PermissionSetParameters {
  required object descriptor;
  required PermissionState state;
};

G. Acknowledgments

This section is non-normative.

The editors would like to thank Adrienne Porter Felt, Anne van Kesteren, Domenic Denicola, Jake Archibald and Wendy Seltzer for their help with the API design and editorial work.

H. References

H.1 Normative references

[dom]
DOM Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://dom.spec.whatwg.org/
[ecma-262]
ECMAScript Language Specification. Ecma International. URL: https://tc39.es/ecma262/multipage/
[HTML]
HTML Standard. Anne van Kesteren; Domenic Denicola; Ian Hickson; Philip Jägenstedt; Simon Pieters. WHATWG. Living Standard. URL: https://html.spec.whatwg.org/multipage/
[infra]
Infra Standard. Anne van Kesteren; Domenic Denicola. WHATWG. Living Standard. URL: https://infra.spec.whatwg.org/
[Notifications]
Notifications API Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://notifications.spec.whatwg.org/
[Permissions-Policy]
Permissions Policy. Ian Clelland. W3C. 18 December 2023. W3C Working Draft. URL: https://www.w3.org/TR/permissions-policy-1/
[permissions-registry]
Permissions Registry. W3C. Draft Registry. URL: https://w3c.github.io/permissions-registry/
[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[WebDriver]
WebDriver. Simon Stewart; David Burns. W3C. 5 June 2018. W3C Recommendation. URL: https://www.w3.org/TR/webdriver1/
[WebDriver-BiDi]
WebDriver BiDi. W3C. Editor's Draft. URL: https://w3c.github.io/webdriver-bidi/
[webdriver2]
WebDriver. Simon Stewart; David Burns. W3C. 23 January 2024. W3C Working Draft. URL: https://www.w3.org/TR/webdriver2/
[WEBIDL]
Web IDL Standard. Edgar Chen; Timothy Gu. WHATWG. Living Standard. URL: https://webidl.spec.whatwg.org/

H.2 Informative references

[appmanifest]
Web Application Manifest. Marcos Caceres; Kenneth Christiansen; Matt Giuca; Aaron Gustafson; Daniel Murphy; Anssi Kostiainen. W3C. 29 November 2023. W3C Working Draft. URL: https://www.w3.org/TR/appmanifest/
[Geolocation]
Geolocation API. Marcos Caceres; Reilly Grant. W3C. 1 September 2022. W3C Recommendation. URL: https://www.w3.org/TR/geolocation/
[GETUSERMEDIA]
Media Capture and Streams. Cullen Jennings; Bernard Aboba; Jan-Ivar Bruaroey; Henrik Boström; youenn fablet. W3C. 20 November 2023. W3C Candidate Recommendation. URL: https://www.w3.org/TR/mediacapture-streams/
[local-font-access]
Local Font Access. WICG. cg-draft. URL: https://wicg.github.io/local-font-access/
[orientation-event]
DeviceOrientation Event Specification. Reilly Grant; Raphael Kubo da Costa. W3C. 2 February 2024. W3C Working Draft. URL: https://www.w3.org/TR/orientation-event/
[Permissions]
Permissions. Marcos Caceres; Mike Taylor. W3C. 16 January 2024. W3C Working Draft. URL: https://www.w3.org/TR/permissions/
[push-api]
Push API. Peter Beverloo; Martin Thomson; Marcos Caceres. W3C. 11 December 2023. W3C Working Draft. URL: https://www.w3.org/TR/push-api/
[w3c-process]
W3C Process Document. Elika J. Etemad (fantasai); Florian Rivoal. W3C. 2 November 2021. URL: https://www.w3.org/Consortium/Process/
[Web-Share]
Web Share API. Matt Giuca; Eric Willigers; Marcos Caceres. W3C. 30 May 2023. W3C Recommendation. URL: https://www.w3.org/TR/web-share/
[window-management]
Window Management. Joshua Bell; Mike Wasserman. W3C. 6 September 2023. W3C Working Draft. URL: https://www.w3.org/TR/window-management/