WebLLM

The Permission Model That Changed the Web

How browser permissions for location, camera, and notifications created a new paradigm for user control

WebLLM Team
The Permission Model That Changed the Web

The first time a website asked to know your location, something fundamental shifted. For the first time, you—not the website, not your operating system—decided whether an application could access a powerful capability.

That permission prompt changed everything.

Before permission-based APIs, powerful capabilities required either native apps (with their all-or-nothing permission models) or dangerous plugins (Flash, Java) that users blindly trusted. After? The web became a platform where users could access powerful features while maintaining meaningful control.

This is the story of how browser permissions work, why they matter, and what they teach us about designing capabilities for users who deserve both power and privacy.

The Before Times: Plugins and All-or-Nothing

The Flash/Java Era

In 2005, if a website wanted to access your camera, it used Flash. Here's what that permission model looked like:

  1. User installs Flash Player (once, for all sites)
  2. Flash had broad permissions by default
  3. Individual sites could use Flash capabilities
  4. Users had almost no visibility into what Flash accessed
  5. Security was Adobe's responsibility, not the browser's

The result? Flash was a security nightmare. It had access to:

  • Local storage (cookies that couldn't be cleared normally)
  • Network connections (cross-domain requests)
  • Camera and microphone (with a tiny, forgettable prompt)
  • Clipboard access
  • System fonts (enabling fingerprinting)

When you "allowed" Flash to run, you effectively gave every Flash-using site these capabilities. No granularity. No per-site control. No browser integration.

Native Apps: The Other Extreme

Meanwhile, native mobile apps had permissions, but they were coarse:

iOS (early versions): Almost no permissions—apps could do most things silently.

Android (pre-6.0): Permissions were granted at install time. Want to install a flashlight app? Accept 15 permissions including "read contacts" and "access location." Users learned to click "Accept" without reading.

Neither model worked:

  • Plugins: Too permissive, no user control, security delegated to third parties
  • Native apps: All-or-nothing at install, no granularity, no revocation

The web needed a third way.

The Innovation: Browser-Mediated Permissions

Geolocation: The First Modern Permission

In 2009, Firefox 3.5 shipped the Geolocation API with a new model:

navigator.geolocation.getCurrentPosition(successCallback, errorCallback);

Simple code, but what happened behind the scenes was revolutionary:

  1. Site requests capability via standard JavaScript API
  2. Browser shows permission UI (not the site)
  3. User makes explicit choice (Allow/Deny)
  4. Browser remembers choice per-site
  5. User can revoke anytime via browser settings

This was fundamentally different from plugins:

AspectPlugin ModelPermission Model
Who asks?The pluginThe browser
Trust relationshipUser → Plugin → SiteUser → Browser → Site
GranularityNone (all or nothing)Per-site, per-capability
RevocationUninstall pluginClick in browser settings
VisibilityHiddenAlways visible

The browser became the trusted intermediary between users and powerful capabilities.

Why This Works Psychologically

The permission model succeeds because it aligns with how humans make trust decisions:

1. Clear Requester Identity Users see which site is asking. "maps.google.com wants to know your location" is meaningful. "Flash Player wants to access system resources" is not.

2. Contextual Decision The prompt appears when the site needs the capability. Users understand why maps.google.com wants location. They might not understand why flashlight-app.com does.

3. Low-Stakes Default Denying permission doesn't break the web. Sites should (and mostly do) work without granted permissions. Users can safely click "Deny" if unsure.

4. Reversibility Made a mistake? Change it in settings. This makes users more willing to experiment with "Allow."

5. Browser Accountability Users trust their browser. If Chrome shows a permission prompt, users believe it's legitimate. The browser stakes its reputation on proper mediation.

The Permission APIs: A Tour

Location: The Original

// Simple request
navigator.geolocation.getCurrentPosition(
  (pos) => console.log(pos.coords.latitude, pos.coords.longitude),
  (err) => console.log('Denied or unavailable')
);

// Continuous tracking
const watchId = navigator.geolocation.watchPosition(callback);
navigator.geolocation.clearWatch(watchId); // Stop tracking

Permission characteristics:

  • Prompted on first use
  • Per-site memory
  • Coarse vs. precise option (newer browsers)
  • Active indicator (location icon in address bar)
  • Background access possible (with extra permissions)

User controls:

  • Allow/Deny per site
  • Clear permissions in settings
  • System-level location on/off
  • Block all location requests

Camera and Microphone: getUserMedia

// Request camera and mic
const stream = await navigator.mediaDevices.getUserMedia({
  video: true,
  audio: true,
});

// Get available devices
const devices = await navigator.mediaDevices.enumerateDevices();

Permission characteristics:

  • Prompted on first use
  • Separate prompts possible (video vs. audio)
  • Active indicator: Recording dot/icon in browser
  • Device selection (which camera/mic)
  • Screen sharing is separate permission

User controls:

  • Per-site allow/deny
  • Choose specific device
  • See when camera/mic is active
  • Stop sharing via browser UI (not site UI)

The active indicator is crucial—users can verify their camera is on regardless of what the site claims.

Notifications: The Cautionary Tale

// Request permission
const permission = await Notification.requestPermission();

if (permission === 'granted') {
  new Notification('Hello!', { body: 'This is a notification' });
}

What went wrong:

Unlike location or camera, notification permission has a low perceived cost and delayed benefit:

  • Users don't immediately see what they're granting
  • Value only comes later (when notifications arrive)
  • Sites abused this by requesting immediately on page load

The spam era:

// Bad practice (but common)
window.onload = () => {
  Notification.requestPermission(); // Instant prompt, no context
};

Every news site, e-commerce store, and random blog prompted for notifications. Users learned:

  1. Click "Block" immediately
  2. Never read what the prompt says
  3. Distrust all browser prompts

Browsers fought back:

Chrome's evolution:

  • 2015: Prompt anytime
  • 2017: Require user gesture (click) before prompt
  • 2019: Quieter UI for sites with low acceptance rates
  • 2020: Even quieter, harder to see
  • 2022: Warnings for abusive sites

The notification API taught a hard lesson: permission prompts can be abused until they're useless.

Clipboard: The Subtle One

// Modern clipboard API (requires permission)
await navigator.clipboard.writeText('Hello!');
const text = await navigator.clipboard.readText();

Permission model:

  • Write: Usually auto-granted on user gesture
  • Read: Always requires permission (sensitive!)
  • Separate from the old document.execCommand('copy')

Reading clipboard is sensitive—it might contain passwords, credit card numbers, private messages. The permission model here is appropriately strict.

Storage Access: The Privacy Response

The Storage Access API exists because of privacy:

// Request access to cookies in cross-site iframe
const hasAccess = await document.hasStorageAccess();
if (!hasAccess) {
  await document.requestStorageAccess();
}

As browsers blocked third-party cookies for privacy, legitimate use cases (embedded payment forms, social login widgets) needed a way to request access explicitly. The Storage Access API provides this.

The pattern: When browsers restrict a capability for privacy, they often create a permission-gated API to restore it for legitimate uses.

Permission States and Lifecycle

Modern permissions have three states:

const result = await navigator.permissions.query({ name: 'geolocation' });
console.log(result.state); // 'granted', 'denied', or 'prompt'

// Listen for changes
result.addEventListener('change', () => {
  console.log('Permission state changed:', result.state);
});

granted: User said yes. API calls work. denied: User said no. API calls fail immediately. prompt: No decision yet. API calls trigger the prompt.

This three-state model lets developers:

  • Check before triggering prompts
  • Adapt UI based on permission state
  • React to user changing settings externally

The Permission UI: Design Matters

How the prompt looks dramatically affects user decisions.

The Elements of Good Permission UI

1. Origin Identification

"https://maps.example.com wants to know your location"

The full origin (scheme + domain) prevents spoofing.

2. Capability Description

"Know your location" (not "access navigator.geolocation")

Human language, not API names.

3. Clear Options

  • Allow (this time / always)
  • Block (this time / always)
  • Not now / Ask later

4. Consequences Chrome's camera prompt shows your video preview. You see what you're sharing.

5. Active Indicators When permission is in use:

  • Location: Arrow icon in address bar
  • Camera: Red dot or icon
  • Microphone: Separate indicator
  • Screen sharing: Prominent warning bar

What Users Actually See

Over time, browsers have experimented with prompt designs:

Aggressive (early): Large modal, centered, blocks page Result: Permission fatigue, automatic deny

Subtle (too subtle): Tiny icon in address bar Result: Users miss it, confused why features don't work

Current balance: Non-modal but visible, with "quieter" variants for likely-spam requests

The Economics of Permission Prompts

Every permission prompt has a cost:

For users:

  • Cognitive load (must read and decide)
  • Interruption (breaks flow)
  • Trust decision (risk assessment)

For sites:

  • Potential denial (user might say no)
  • Abandonment (user might leave)
  • Training (users learn to auto-deny)

For the ecosystem:

  • Prompt inflation (more prompts = less attention)
  • Trust erosion (bad actors ruin it for everyone)

This creates a tragedy of the commons: each site's prompt makes all prompts less effective.

Best Practices That Emerged

1. Ask in context

// Bad: On page load
window.onload = requestNotificationPermission;

// Good: After user takes relevant action
addToCartButton.onclick = () => {
  showNotificationOptIn('Want shipping updates?');
};

2. Explain before asking

// Bad: Raw browser prompt
Notification.requestPermission();

// Good: Site explains first, then triggers prompt
showDialog({
  title: 'Get shipping updates',
  body: "We'll notify you when your order ships",
  action: () => Notification.requestPermission(),
});

3. Gracefully handle denial

// Bad
if (permission !== 'granted') {
  alert('You must enable notifications!');
}

// Good
if (permission !== 'granted') {
  showAlternative('You can also check order status in your account');
}

4. Never punish denial

Sites that nag, block content, or degrade experience when users deny permissions erode trust in all browser permissions.

Privacy vs. Capability: The Ongoing Tension

Permissions balance two legitimate needs:

Capability need: Web apps should be powerful Privacy need: Users should control their data

Some APIs got removed or restricted because privacy won:

Battery Status API (Removed)

// This used to work
const battery = await navigator.getBattery();
console.log(battery.level); // 0.73

Removed because battery level + charging status created a fingerprinting vector. The capability (show battery UI) didn't justify the privacy cost.

Ambient Light Events (Removed)

// Also removed
window.addEventListener('devicelight', (e) => {
  console.log(e.value); // Lux level
});

Could be used to infer what's on screen in same room (light changes from content). Removed for privacy.

Device Memory (Reduced)

console.log(navigator.deviceMemory); // Now heavily bucketed

Used to return precise RAM. Now returns bucketed values (4, 8) to prevent fingerprinting while still allowing adaptive experiences.

The Pattern

When an API enables fingerprinting without providing proportional user benefit, browsers remove or neuter it. The calculus:

User Benefit vs. Privacy Cost

High benefit (camera for video chat) + permission gate = keeps the API Low benefit (ambient light) + fingerprinting risk = remove the API

Permissions for the Future

How will permissions evolve?

1. More Capability-Specific Permissions Rather than "access storage," expect "store up to 1GB" or "access IndexedDB for this purpose."

2. Privacy Budgets Some proposals suggest sites get a "fingerprinting budget"—use too many identifying APIs and lose access to others.

3. Permission Bundles For complex apps, pre-approved permission sets: "This is a video conferencing app" → automatically camera + mic + notifications.

4. AI-Assisted Decisions Browsers might use ML to predict which prompts are likely spam and adjust UI accordingly (already happening with Chrome's quiet notifications).

5. User-Held Capabilities Instead of sites requesting permissions, users might proactively grant capabilities: "I want to share my location with maps sites" → no per-site prompts.

The AI Permission Question

When browsers add AI capabilities, they'll need new permission models:

// Hypothetical
await navigator.llm.prompt('Summarize this page');

What's the right model?

  • Is AI access like camera? (explicit prompt each time)
  • Is AI access like storage? (automatic for most cases)
  • Does AI need new controls? (model selection, data handling)

The permission patterns established by geolocation, camera, and notifications will inform this design.

Lessons from 15 Years of Web Permissions

1. The browser is the trust anchor Users trust their browser to protect them. Permission prompts leverage this trust.

2. Context matters more than words A prompt when the user clicks "Share Location" is understood. A prompt on page load is suspicious.

3. Active indicators build trust Users accept camera permissions because they can verify (via indicator) when it's active.

4. Abuse has ecosystem costs Notification spam hurt all permission prompts. Bad actors affect everyone.

5. Defaults matter enormously APIs that require permission are used less than those that don't. This shapes what developers build.

6. Iteration improves design Early permission UIs were worse. Chrome has changed notification prompts 5+ times. Evolution happens.

7. Privacy is a ratchet Once users expect privacy controls, you can't remove them. Expectations only increase.

Conclusion

The permission model is one of the web platform's most important innovations. It solved a fundamental problem: how to give web apps native-like capabilities while keeping users in control.

The next decade will bring new capabilities—AI, extended reality, new hardware access. Each will need thoughtfully designed permission models. The patterns established by geolocation, camera, and notifications provide the template.

Users who grant navigator.llm permission in 2026 will be relying on infrastructure built by the first geolocation prompts in 2009. The model works. The question is how to apply it well.

Further Reading

In this article:

Share this article: