require a gesture for permissions

[Ojan Vafai]

I know in the past we've wanted to require user gestures for permissions, but it's been tough because there are some legit use cases that don't require a gesture.

Since the last time we've discussed this, we've added a new tool that might apply here. For things like vibrate, we don't require a currently active gesture, but we require the frame to have had a gesture at some point.

Would it make sense to gate all permissions on having had a gesture?

I've been very frustrated recently at the number of sites that I hit that immediately ask for notification permission as an example.

[Raymes Khoury]

+chrome-permissions-team 

[Ben Wells]

On Thu, Apr 13, 2017 at 1:00 PM Raymes Khoury <ray...@google.com> wrote:

+chrome-permissions-team 

On Thu, 13 Apr 2017 at 12:57 Ojan Vafai <oj...@google.com> wrote:

I know in the past we've wanted to require user gestures for permissions, but it's been tough because there are some legit use cases that don't require a gesture.

Since the last time we've discussed this, we've added a new tool that might apply here. For things like vibrate, we don't require a currently active gesture, but we require the frame to have had a gesture at some point.

Would it make sense to gate all permissions on having had a gesture?

I don't think so. We've found that there are sites that ask for geolocation on page load and have good acceptance rate. The example that comes to mind is mapquest. For a site like this, the URL / function of the site makes navigating to it a signal of user intent, in that they (a) know that the permission request could be made and (b) deliberately did something to go there.

 

I've been very frustrated recently at the number of sites that I hit that immediately ask for notification permission as an example.

Notifications like this are indeed annoying. I don't think the above logic applies to notifications and I think we could require a user gesture to be attached to the permissions request. I don't know if we need the new has-a-gesture-ever-happened signal, we could probably use the old this-permission-request-was-from-a-gesture signal.

 

--
You received this message because you are subscribed to the Google Groups "chrome-permissions-team" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chrome-permission...@google.com.
To post to this group, send email to chrome-perm...@google.com.
To view this discussion on the web visit https://groups.google.com/a/google.com/d/msgid/chrome-permissions-team/CAEYdGOXDLhbp7kD%3DBoTYP7RARY3eNMbVvithYQMtkcaXpOWyig%40mail.gmail.com.

[Ojan Vafai]

Makes sense. I was just thinking out loud.

In theory, crowd consent should put appropriate ecosystem pressure to fix all these issues. I'm out of touch though. Are we having trouble shipping it?

[Adrienne Porter Felt]

On Wed, Apr 12, 2017 at 9:21 PM Ben Wells <benw...@google.com> wrote:

On Thu, Apr 13, 2017 at 1:00 PM Raymes Khoury <ray...@google.com> wrote:

+chrome-permissions-team 

On Thu, 13 Apr 2017 at 12:57 Ojan Vafai <oj...@google.com> wrote:

I know in the past we've wanted to require user gestures for permissions, but it's been tough because there are some legit use cases that don't require a gesture.

Since the last time we've discussed this, we've added a new tool that might apply here. For things like vibrate, we don't require a currently active gesture, but we require the frame to have had a gesture at some point.

Would it make sense to gate all permissions on having had a gesture?

I don't think so. We've found that there are sites that ask for geolocation on page load and have good acceptance rate. The example that comes to mind is mapquest. For a site like this, the URL / function of the site makes navigating to it a signal of user intent, in that they (a) know that the permission request could be made and (b) deliberately did something to go there.

 

I've been very frustrated recently at the number of sites that I hit that immediately ask for notification permission as an example.

Notifications like this are indeed annoying. I don't think the above logic applies to notifications and I think we could require a user gesture to be attached to the permissions request. I don't know if we need the new has-a-gesture-ever-happened signal, we could probably use the old this-permission-request-was-from-a-gesture signal.

note that this will break facebook's current flow

 

 

--
You received this message because you are subscribed to the Google Groups "chrome-permissions-team" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chrome-permission...@google.com.
To post to this group, send email to chrome-perm...@google.com.
To view this discussion on the web visit https://groups.google.com/a/google.com/d/msgid/chrome-permissions-team/CAEYdGOXDLhbp7kD%3DBoTYP7RARY3eNMbVvithYQMtkcaXpOWyig%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "chrome-permissions-team" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chrome-permission...@google.com.
To post to this group, send email to chrome-perm...@google.com.

To view this discussion on the web visit https://groups.google.com/a/google.com/d/msgid/chrome-permissions-team/CAKYwr4qvnjRNc%2BAXu-uBzL5d%3DF3aEO2-5OCYEFXzinSKhdputw%40mail.gmail.com.

[Ben Wells]

On Fri, Apr 14, 2017 at 1:17 AM Adrienne Porter Felt <fe...@google.com> wrote:

On Wed, Apr 12, 2017 at 9:21 PM Ben Wells <benw...@google.com> wrote:

On Thu, Apr 13, 2017 at 1:00 PM Raymes Khoury <ray...@google.com> wrote:

+chrome-permissions-team 

On Thu, 13 Apr 2017 at 12:57 Ojan Vafai <oj...@google.com> wrote:

I know in the past we've wanted to require user gestures for permissions, but it's been tough because there are some legit use cases that don't require a gesture.

Since the last time we've discussed this, we've added a new tool that might apply here. For things like vibrate, we don't require a currently active gesture, but we require the frame to have had a gesture at some point.

Would it make sense to gate all permissions on having had a gesture?

I don't think so. We've found that there are sites that ask for geolocation on page load and have good acceptance rate. The example that comes to mind is mapquest. For a site like this, the URL / function of the site makes navigating to it a signal of user intent, in that they (a) know that the permission request could be made and (b) deliberately did something to go there.

 

I've been very frustrated recently at the number of sites that I hit that immediately ask for notification permission as an example.

Notifications like this are indeed annoying. I don't think the above logic applies to notifications and I think we could require a user gesture to be attached to the permissions request. I don't know if we need the new has-a-gesture-ever-happened signal, we could probably use the old this-permission-request-was-from-a-gesture signal.

note that this will break facebook's current flow

Yep, it would, and a bunch of other sites as well. I think we should let the notifications team drive this, if it happens, and make sure it is covered by the spec.

+Peter Beverloo for thoughts...

[Ben Wells]

On Thu, Apr 13, 2017 at 4:08 PM Ojan Vafai <oj...@google.com> wrote:

Makes sense. I was just thinking out loud.

In theory, crowd consent should put appropriate ecosystem pressure to fix all these issues. I'm out of touch though. Are we having trouble shipping it?

Not really - it is just a long process and we don't have a lot of people :( The next step for us is to publish our research along with UX guidelines for website developers to improve their acceptance rates.

I think doing something with notifications and gestures could be treated orthogonally.

 

To view this discussion on the web visit https://groups.google.com/a/google.com/d/msgid/chrome-permissions-team/CANMdWTt7vvFQt2NHKPMbqRTbg%2B%2BDi4sB02egthtCjBar99Q9dQ%40mail.gmail.com.

[Peter Beverloo]

+owencm

The notification permission used to require a user gesture, but this was dropped in 2014 because (a) other permissions did not require it, and (b) sites applied popup-esque techniques like hijacking the click event anywhere on the page to ask permission quickly anyway.

I agree that random sites asking for the permission is annoying, but there are fair use-cases when the user has sufficient context, e.g. Facebook (after login). They occasionally black out the screen until requestPermission() resolves - which would render such sites unusable, as we learned in Incognito. Resolving immediately when there is not a user gesture would render users unable to sign up at all.

Last year there were efforts to incentivise sites for requesting permission on user gestures by displaying dialogs in a model fashion. Where did that end up? We don't have bandwidth to drive this right now, so at the very least I'd like us to get a good understanding of the tradeoffs.

Thanks,

Peter

On Tue, Apr 18, 2017 at 7:54 AM, Ben Wells <benw...@google.com> wrote:

On Fri, Apr 14, 2017 at 1:17 AM Adrienne Porter Felt <fe...@google.com> wrote:

On Wed, Apr 12, 2017 at 9:21 PM Ben Wells <benw...@google.com> wrote:

On Thu, Apr 13, 2017 at 1:00 PM Raymes Khoury <ray...@google.com> wrote:

+chrome-permissions-team 

On Thu, 13 Apr 2017 at 12:57 Ojan Vafai <oj...@google.com> wrote:

I know in the past we've wanted to require user gestures for permissions, but it's been tough because there are some legit use cases that don't require a gesture.

Since the last time we've discussed this, we've added a new tool that might apply here. For things like vibrate, we don't require a currently active gesture, but we require the frame to have had a gesture at some point.

Would it make sense to gate all permissions on having had a gesture?

I don't think so. We've found that there are sites that ask for geolocation on page load and have good acceptance rate. The example that comes to mind is mapquest. For a site like this, the URL / function of the site makes navigating to it a signal of user intent, in that they (a) know that the permission request could be made and (b) deliberately did something to go there.

 

I've been very frustrated recently at the number of sites that I hit that immediately ask for notification permission as an example.

Notifications like this are indeed annoying. I don't think the above logic applies to notifications and I think we could require a user gesture to be attached to the permissions request. I don't know if we need the new has-a-gesture-ever-happened signal, we could probably use the old this-permission-request-was-from-a-gesture signal.

note that this will break facebook's current flow

Yep, it would, and a bunch of other sites as well. I think we should let the notifications team drive this, if it happens, and make sure it is covered by the spec.

+Peter Beverloo for thoughts...

 

--
You received this message because you are subscribed to the Google Groups "chrome-permissions-team" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chrome-permissions-team+unsub...@google.com.
To post to this group, send email to chrome-permissions-team@google.com.

To view this discussion on the web visit https://groups.google.com/a/google.com/d/msgid/chrome-permissions-team/CAEYdGOXDLhbp7kD%3DBoTYP7RARY3eNMbVvithYQMtkcaXpOWyig%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "chrome-permissions-team" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chrome-permissions-team+unsub...@google.com.
To post to this group, send email to chrome-permissions-team@google.com.

[Dominick Ng]

We ran an experiment on stable with modal permission dialogs with M57. I'm currently writing up the results and will distribute them once ready. 

On Thu, 27 Apr 2017 at 02:53, Peter Beverloo <beve...@google.com> wrote:

+owencm

The notification permission used to require a user gesture, but this was dropped in 2014 because (a) other permissions did not require it, and (b) sites applied popup-esque techniques like hijacking the click event anywhere on the page to ask permission quickly anyway.

I agree that random sites asking for the permission is annoying, but there are fair use-cases when the user has sufficient context, e.g. Facebook (after login). They occasionally black out the screen until requestPermission() resolves - which would render such sites unusable, as we learned in Incognito. Resolving immediately when there is not a user gesture would render users unable to sign up at all.

Last year there were efforts to incentivise sites for requesting permission on user gestures by displaying dialogs in a model fashion. Where did that end up? We don't have bandwidth to drive this right now, so at the very least I'd like us to get a good understanding of the tradeoffs.

Thanks,

Peter

On Tue, Apr 18, 2017 at 7:54 AM, Ben Wells <benw...@google.com> wrote:

On Fri, Apr 14, 2017 at 1:17 AM Adrienne Porter Felt <fe...@google.com> wrote:

On Wed, Apr 12, 2017 at 9:21 PM Ben Wells <benw...@google.com> wrote:

On Thu, Apr 13, 2017 at 1:00 PM Raymes Khoury <ray...@google.com> wrote:

+chrome-permissions-team 

On Thu, 13 Apr 2017 at 12:57 Ojan Vafai <oj...@google.com> wrote:

I know in the past we've wanted to require user gestures for permissions, but it's been tough because there are some legit use cases that don't require a gesture.

Since the last time we've discussed this, we've added a new tool that might apply here. For things like vibrate, we don't require a currently active gesture, but we require the frame to have had a gesture at some point.

Would it make sense to gate all permissions on having had a gesture?

I don't think so. We've found that there are sites that ask for geolocation on page load and have good acceptance rate. The example that comes to mind is mapquest. For a site like this, the URL / function of the site makes navigating to it a signal of user intent, in that they (a) know that the permission request could be made and (b) deliberately did something to go there.

 

I've been very frustrated recently at the number of sites that I hit that immediately ask for notification permission as an example.

Notifications like this are indeed annoying. I don't think the above logic applies to notifications and I think we could require a user gesture to be attached to the permissions request. I don't know if we need the new has-a-gesture-ever-happened signal, we could probably use the old this-permission-request-was-from-a-gesture signal.

note that this will break facebook's current flow

Yep, it would, and a bunch of other sites as well. I think we should let the notifications team drive this, if it happens, and make sure it is covered by the spec.

+Peter Beverloo for thoughts...

 

--
You received this message because you are subscribed to the Google Groups "chrome-permissions-team" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chrome-permission...@google.com.
To post to this group, send email to chrome-perm...@google.com.

To view this discussion on the web visit https://groups.google.com/a/google.com/d/msgid/chrome-permissions-team/CAEYdGOXDLhbp7kD%3DBoTYP7RARY3eNMbVvithYQMtkcaXpOWyig%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "chrome-permissions-team" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chrome-permission...@google.com.
To post to this group, send email to chrome-perm...@google.com.

To view this discussion on the web visit https://groups.google.com/a/google.com/d/msgid/chrome-permissions-team/CAKYwr4qvnjRNc%2BAXu-uBzL5d%3DF3aEO2-5OCYEFXzinSKhdputw%40mail.gmail.com.

--

 -Dom.