
Reducing notification permission prompt spam in Firefox - barryvan
https://blog.nightly.mozilla.org/2019/04/01/reducing-notification-permission-prompt-spam-in-firefox/
======
zaroth
Downgrading the prompt to a non-popup icon in the address bar unless it
follows a user action sounds like the perfect balance.

This won’t entirely stop sites which are properly trying to request the
permission in the worst case, and the navbar icon is unobtrusive enough that
if it gets spammed it’s no big deal.

Actually I think it makes sense to persistently show the notification icon in
the navbar once the permission has been granted (same with mic, audio, and
anything else) providing a quick glance at any privs that have been granted
and an obvious way to revoke them.

The icons would then need granted and non-granted states, and perhaps even
three states;

\- Black : requested but not authorized

\- Black with green check : granted

\- Grey with red x: requested and denied

~~~
phkahler
>> Downgrading the prompt to a non-popup icon in the address bar unless it
follows a user action sounds like the perfect balance.

I disagree. There should be no UI for these. A site should essentially say
"click here to enable XXX" as part of the page. Anything else is essentially a
pop-up. I don't want buttons or controls in my browser to be controlled by a
web site. BTW that includes the back button - why browsers ever allowed sites
to take control from the user is beyond me.

~~~
Wowfunhappy
> A site should essentially say "click here to enable XXX" as part of the
> page.

Then the site will just make their own annoying popup asking to enable
notifications. By giving UI control to the browser, the browser vendor can
decide how forceful it should be.

------
bunderbunder
> Most prompts are dismissed, while almost 19% of prompts caused users to
> leave the site immediately after being confronted with them.

Guilty. I've started taking requests for permission to send push notifications
as a strong signal that I've accidentally clicked on clickbait.

~~~
basseq
What's the logic for publishers, here? "If we add this feature, we will
immediately bounce 19% of our traffic." Why would you do that? Or is this a
scam thing where that 19% just proved they aren't suckers, so you don't want
to waste your time on them?

~~~
codedokode
You bounce 19% of your traffic but some other 30% might accidentally agree to
the notifications and now you can bump your traffic every day by sending them.
Those 19% are probably useless people with adblockers that never give their
email or click any ads so you lose nothing anyway.

Also, you can send ads using notifications and earn money.

------
LeonM
Serious question though: has anyone here ever used the notifications for
anything other than web based IM (slack, whatsapp)?

I think the use case for legit notifications is very small, thus the UI should
be an opt-in, rather than an intrusive pop-up.

I never understood why browser makers gave it such a prominent UI, and of
course in this attention seeking market it was bound to be abused. The new UI
that Firefox is suggesting in the article is good, this should have been like
this from the first day. I hope other browser vendors quickly follow.

~~~
djsumdog
Looking at my permissions, it'd only Mastodon/Pleroma instances and chat. The
other 80~90% of sites that request permissions are blocked.

The most annoying are news/blog sites. Who the hell actually clicks Allow?
Like 1%? 2%?

~~~
jacurtis
According to the article, overall acceptance rate on the notifications popup
is 3%. But that will include legitimate notification requests like Gmail,
Discord, Slack, etc..

That also includes people that just randomly accept any notification their
computer gives them. This is older people who don't understand the specific
permissions they are granting.

There was one time I was clicking on a navigation element right as a popup for
notifications popped up and i accidently clicked it. I immediately went in and
reverse the permission to block access, but I am sure there are use cases of
accidental acceptance as well.

So considering all of that. My guess is that real intentional adoption is
below 1%.

~~~
efreak
This is an occasional problem I've had on multiple platforms (Android/Windows
OS, browser UI, ZoneAlarm way back when, etc). Why is it not yet a thing to
ignore the first click within 50-100ms or so of a dialog popping up?
Especially on desktop where you can find out if the cursor was already in
place before the pop-up showed.

------
teekert
It's insane that the two visible options are "Not now" and "Allow
notifications" while 99 percent of the time I want never bother me again, in
fact disable this feature entirely. I clicked yes exactly 3 times (my own
Nextcloud instance, Protonmail and Whatsapp web), I'd be happy to do some more
clicking to enable those at the "cost" of never being bugged again.

~~~
giancarlostoro
I was beginning to wonder if I can disable globally by default and have no
popups, just manually enable it for a specific site if I want it badly enough
(I don't think I ever will anyway).

Of course then they'll start showing weird UI pop ups to enable stuff, but if
websites ever do that I will close them as I do with sites that tell me to
disable adblock, the last few times I ever got malware on my system was due to
ads, I am NEVER turning off adblock. This was many years ago, now I only
download FLOSS just to keep it that way.

~~~
robinwassen
User script that overrides the API to noop. :)

~~~
giancarlostoro
I'm just bummed the old greasemonkey site is gone (or whatever it was called),
it feels awkward trying to find scripts now.

~~~
airstrike
I'm even more bummed the old stylish plugin was really malware

[https://www.theregister.co.uk/2018/07/05/browsers_pull_styli...](https://www.theregister.co.uk/2018/07/05/browsers_pull_stylish_but_invasive_browser_extension/)

~~~
giancarlostoro
Eventually, it wasn't always so but yes that's disappointing.

------
nobrains
There is one more reason why the acceptance rate of notification prompts is
low (3%), other than the two points mentioned by Mozilla.

THAT reason is that simply people do not want to be notified. They value their
attention in these times of constantly being bombarded by attention seeking
prompts, ads and notifications, that if asked, people surely chose not not
being bombarded more.

~~~
accatyyc
I’d say Mozilla is right in their wording. Your point here is also included in
that - if websites showed the push dialog responsibly, it would be for example
in the website settings after the user checked a box called “send me push!”.
Many good web services do it this way, and if done this way I suspect the
accept rate is closer to 100%.

Some people might want push from news pages, but 97%+ don’t, so it makes no
sense to request it immediately.

They probably even lose subscribers. Someone who read some content and liked
it, decided that they want push may have already opted out because they didn’t
know the site yet.

------
nindalf
This “feature” is abused terribly around the web. For every site with useful
notifications like gmail, there are 10 which misuse it. Yesterday I had the
misfortune of misclicking on the prompt from a website. I started getting
notifications like “YOUR COMPUTER IS INFECTED WITH A VIRUS”. Turning off
notifications for that website took at least 4 clicks through Chrome settings.
Good to know there is a setting to turn it off completely on Firefox. If I
personally actually wanted notifications from a service, I’d install the
mobile app.

Second, Mozilla seems to use telemetry data responsibly and well. Turning
_off_ notification prompts by default can’t possibly be done unless you have
the data on acceptance rate on different types of prompts. If you’re making
such decisions based on your intuition you’d likely get it wrong.

I ask the folks on HN who constantly criticise the collection of such
telemetry, what did I lose as a user when Firefox collected this anonymised
data? More importantly, how would you have made a decision here without the
data? Intuition? (I’d request that no one reply with platitudes like “with
enough data nothing is anonymous” and “you’re making a nothing-to-hide
argument”)

~~~
codedokode
I think the bad thing is not telemetry itself but the fact that it is silently
enabled by default instead of asking the user whether they agree to it. Make
it voluntary and there would be no problems at all. I didn't ask for this
feature.

Also, one doesn't need telemetry to notice how notifications are abused on the
web. You can just start a browser, visit top 1000 popular sites and count how
many of them show the popup.

Also, it seems like everyone tries to abuse notifications. For example,
Youtube app shows a notification when the channel you are subscribed to
releases a new video. Is it so urgent, that you need to distract the user?
They could show this information when the user opens the app.

~~~
Vinnl
> Make it voluntary and there would be no problems at all.

Unfortunately that would make the telemetry non-representative. That said, it
_is_ opt-in when possible, if you consider "using Nightly" as opt-in (it's
clearly explained before and after installing Nightly).

> You can just start a browser, visit top 1000 popular sites and count how
> many of them show the popup.

That doesn't tell you anything about what behaviour led up to a permission
request that got granted vs the 97% that got ignored. Furthermore, it wouldn't
have told them that the notification request is denied far more often by users
than the webcam/mic request.

> Also, it seems like everyone tries to abuse notifications. For example,
> Youtube app shows a notification when the channel you are subscribed to
> releases a new video. Is it so urgent, that you need to distract the user?
> They could show this information when the user opens the app.

It would be nice to have data on when users revoke permissions again as well,
indeed.

------
adrianmonk
I'm still shocked that anybody thought the first generation implementation of
this (in any browser, not specific to Firefox) was ever a good idea. I can see
making the request visible to the end user, but... _as a dialog_? Why?

At least make it a narrow bar across the top/bottom that doesn't obscure web
site content and can be easily ignored. Perhaps better would be to make it a
button like there is a button to favorite/bookmark a site. A dialog isn't even
near the top of the list of good designs.

~~~
Someone1234
Agreed completely.

\- Why are dialogs still a thing?

\- Why is stealing focus still a thing?

Browser makers, operating system manufacturers: Stop it. Dialogs are hot
garbage, and users ALONE should have control over input focus. If you need the
user's attention flash/animate.

If you cannot make a thing without a dialog, focus lock, or focus theft then
maybe the thing you were trying to make was inherently a bad idea.

Windows is terrible at this. I was running the Visual Studio Installer in the
background and it stole key-input focus dozens of times, often going to black
dialog boxes that immediately closed leaving focus on nothing.

~~~
throwawayjava
I had no idea wth you were talking about until you mentioned Visual Studio
Installer, then I knew immediately what you meant.

This is a huge problem for Windows and Mac.

~~~
Someone1234
Open notepad. Press a key over and over. If the key-press stops going to
notepad then focus has been transferred/stolen. Firefox's Notification
Permission dialog has this behavior within the browser.

For example go to Reddit or Facebook, start entering text, the notification
permission dialog will appear, steal focus, and now your key-presses go into a
black hole.

The whole concept of focus-theft is an anti-pattern. Interestingly one mobile
operating systems originally designed out but has slowly been creeping back
in.

~~~
adrianmonk
Every time it happens, I feel like Charlie Brown trying to kick that football:
[https://peanuts.fandom.com/wiki/Football_gag](https://peanuts.fandom.com/wiki/Football_gag)

------
_nedR
Just a couple weeks ago i was helping "disinfect" an android phone for a
acquaintance (shopkeeper) here in India.

The "virus" in question was chrome notifications for spam/porn/malware
probably from malvertisements embedeed in some websites. It took me several
minutes to locate and disable them. You would think that chrome on android
would give an option to disable an offending notification from the
notification bar but no, you have to go digging in the chrome settings and
scan through the permission list to find the offenders.

While i certainly think it is a useful api needed for the free web(i still
prefer websites over apps which are essentially websites with undeleteable
hypercookies), Mozilla and Google need to do a better job protecting the
literally billions of people who are less literate (either in tech or english)
from the cesspool that is online media.

------
kgwxd
It would have been better if the notification API never existed and RSS had
become the de facto standard for subscribing. The only good use for a
notification API is urgent information, almost nothing on the internet
qualifies. Giving everyone the power ruined the whole thing.

~~~
TremendousJudge
Yeah the only thing I think it's actually useful for is chat apps -- and for
the ones I use frequently I ended up downloading their electron app anyway

~~~
Ajedi32
It's also nice for Google Calendar notifications.

~~~
kgwxd
Convenient, but anything truly important requires multiple forms of
notification anyway since you might not be in front of your browser. I usually
set sticky reminders (e.g. order more contacts) to send an email, and do-it-
now reminders (e.g. ZeroPage Homebrew is live on Twitch now!) to both email
and SMS. Browser notifications are pretty redundant after that, but nothing's
wrong with having multiple fail-safes if you're really paranoid about
forgetting something.

------
amanzi
Good work from Mozilla, but it won't help prevent those sites that pop up a
HTML modal asking you to subscribe by email AND then a few seconds later pop
up another HTML modal asking to send you notifications to keep you up to date
AND then sliding in something from the bottom with "relevant" posts AND maybe
also slide something else in from the top or sides with some other thing that
just ends up blocking the content you're actually interested in reading....

~~~
josephg
I opened a medium post the other day from my phone that did all this stuff. It
was amazing - there was a bar up the top asking me to install the medium app.
Then another bar below that asking me to subscribe to the author or something.
Then a call-to-action pop-over on the bottom of the screen asking me to join a
mailing list or something.

Only about 1/4 of my phone screen was left displaying the content - which
wasn't even enough space to see the post's title on my plus sized phone.

I closed the tab, because who has time for that?

I can never tell if websites don't know how many people get turned away by how
awful their websites are, or if they know but figure its a good deal. (Maybe
medium figures an X% drop in blog engagement is worth it if a few readers join
their mailing list).

In the meantime I'd like it if all browsers added an option to automatically
block all website notification requests. Firefox does this, and its great.

~~~
luckylion
> I can never tell if websites don't know how many people get turned away by
> how awful their websites are, or if they know but figure its a good deal.

Having been told to implement aggressive exit-intent overlays on sites: I'm
pretty sure it's the latter. A substantial amount of people don't bounce if
you throw an annoying "do you really not want to know this secret?" overlay at
them with an option saying something like "OK YES I WANT TO KNOW". I hate
sites that do it, but for most sites, it's not tech-adept power users that
make up the audience.

~~~
peteretep
My favourite thing about using 1Password to store my credit-card details is
the number of times I've gone to pay, started moving my mouse to the 1Password
button, and the exit-intent fires and gives me a discount I wasn't expecting.

------
krelian
Maybe I missed it but I don't see a discussion about how the majority of sites
are actually showing a "pre-prompt" for notifications before triggering the
actual prompt from the browser. This is similar to how apps ask you to rate
them using some internal UI and only if you rating is the desired one (5
stars) send you to the app store so you can rate them there.

With the notifications a 3rd party script is used to display a Yes/No prompt
for notifications and only when you click yes on that prompt it triggers the
browser's yes/no prompt. This allows the site to show you the notification
request on each session while if they used the browser's native prompt they
could only show it once.

~~~
rypskar
>>the majority of sites are actually showing a "pre-prompt" for notifications

Do a majority of sites do this? I have never seen it, but have seen the
browser notification prompt several times

~~~
krelian
I'm in ecommerce so I visit a lot of online stores. I'd say about 80% of them
are doing this.

------
bitt
Websites should not ask users for permission notifications. It only annoys the
people using it. It is a bad idea!

If users are interested enough in your content, they will find a way to opt-in
for notifications like email; an opt-in for notifications button or even RSS.
Why would website owners assume that users want to get notifications only
after 5 seconds of visiting a random site?

~~~
jacoblambda
Some of them do have legitimate uses, like chat apps (messages.android.com for
example). Otherwise though I do agree that they are a fairly bad idea.

~~~
valtism
Even then, notification permission should not be requested without some sort
of prior input from the user. A simple red bell icon with the hover text
"enable notifications" would work so much better than the user being assaulted
with the dialogue box right away.

It really is a shame to see how terribly these permission requests have been
abused, especially by news sites. I see this is a push for engagement by
management, and not sufficient pushback from developers against this dark
pattern.

This is not a difficult feature to implement well, and we should know how to
do it properly after years of mobile permission request design.

~~~
beatgammit
Yeah, it should require user interaction to trigger the prompt. In fact, some
of the better websites do this already.

This should be the same for nearly everything, like:

\- playing video/audio automatically \- location access \- direct GPU access

In fact, it would probably make sense to include all scripting (JavaScript and
web assembly).

To make this suck less, the website should be able to request multiple
permissions at once, with each permission able to be granted individually and
websites able to put a short reason why each is being requested. Those
permissions should show up in an easy to use menu for each site, like the TLS
info button. Perhaps that same menu is the only way to enable/disable, so no
popups, and all permissions are disabled by default.

------
scoutt
Notification requests are really saturating my patience. I appreciate the
Mozilla/Firefox efforts for creating a user-first browser, with this and past
features.

I always avoided (or at least I try not) to provide any telemetry data, but in
the case of Firefox, if these are the kind of improvements we may have, maybe
I will opt-in for anon telemetry.

Is the voting-with-your-wallet era moving into voting-with-your-telemetry era?

~~~
tinus_hn
It has always been that way. If you had one of these boxes that measured the
channels you watch on tv, you had much more influence on what’s going to be on
next year than other people. If you fill in an (anonymous) questionnaire about
politica issues you have more influence on these issues than people who just
cast one vote.

------
jtokoph
I think that no matter what solution the browsers decide on, we will always
have to fight the “pre-permission prompts” from websites. These are the
homemade prompts in JS and html that the sites pop up that essentially ask if
you want to be prompted for the real permission. Once you click accept on
their dialog, they hit the real browser api to show the native dialog.

~~~
DanHulton
I actually mind those a lot less, since these prompts can be used to properly
set expectations about how the notification permission will be used.

Or at least, I mind these a lot less in theory, since it feels like they're
rarely implemented this way. It's a golden opportunity for app developers to
explain why they want to send you notifications, what benefit you'll get from
it, and how often you should expect to be notified, and recipe sites are using
it to trick you into effectively signing up for a mailing list.

------
kenhwang
Yes! I hate the notifications prompt showing up on the landing page of a
website. I definitely support the browser blocking nuisances until there's
user interaction, things such as: sound, videos, popups, and request for
permissions.

------
mrec
It's slightly unfortunate that after reading this I went to
[https://developer.mozilla.org/en-
US/docs/Web/API/notificatio...](https://developer.mozilla.org/en-
US/docs/Web/API/notification) to read up about them, and immediately got an
unsolicited "allow notifications?" prompt.

~~~
Macha
To clarify: MDN in general does not ask for notification permissions.

However, it does execute code samples on the page.

That page has a code sample for requesting permissions.

------
parkersweb
Hmmm - I can see how this is a good thing for the notification permission
(there are far too many news/blog sites starting with that request) - but it
looks from what they're saying that microphone/camera will still use the old
method. Won't that be a bit confusing?

As an aside I've often wondered why cookie permissions couldn't be moved to a
similar model? It would create a much more consistent experience instead of
the popup insanity we currently have across Europe...

~~~
erfgh
Use this for the cookie permission popup nonsense:
[https://addons.mozilla.org/en-US/firefox/addon/i-dont-
care-a...](https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-about-
cookies/?src=search)

------
l0b0
About time. Introducing a feature like this without a "Go away, and never come
back!" button was a big UX fail IMO.

On a related note, seems like desktop notifications would be a great venue for
remote code exploits. Have there been any yet?

~~~
epse
Under the big arrow next to the "Not now" button is a "Never on this site"
button, of that's what you mean. Otherwise there is the settings item (which,
admittedly was added recently)

~~~
alpaca128
I don't want a "never on this site" button, I want "disable popups forever and
don't pester me again". Glad this can be done in the settings now.

------
ams6110
As a user, I don't even really understand what a "notification" is but it
sounds annoying. I don't think I've ever allowed them when prompted. I didn't
realize until reading this that I could disable these prompts entirely, but I
have just done that.

------
xg15
Straw proposal: Get rid of the whole system of permission prompts completely
and instead introduce a special input element for each permission.

Example: Instead of calling a JS API to show a prompt for push notifications,
you'd embed an [input type="push-permission"] element in your page. This
element would render as a special button that grants you the permission once
the user clicks on it.

However, embedding it into a context where the user would actually _want_ to
click it, is your responsibility.

It would still be possible to spam the user with "self-made" overlay popups,
but this is already possible today. The button would also need protection
against clickjacking, which, I think, can be done by restricting how it can be
styled or layered.

~~~
deanclatworthy
This will only result in people finding clickjacking methods to trick you into
pressing. I would prefer that you can only trigger the request (using JS) on a
top-level click-event, similar to how audio works on iOS (maybe Android too?).

------
jfoster
I feel that browsers are really getting permissions horribly wrong. The
prompts often look very similar to each other (no icons) regardless of what
they are for. Some permissions are detectable, others are not. When a site
tried to use a function that's blocked, the notification in the browser is
often easy to miss, leaving users wondering why the functionality isn't
working.

If it were good:

1\. Users would be very aware of the request or attempted use for any
permission.

2\. Users would be able to easily ignore that request without the permission
prompt interrupting them.

It seems that browser vendors are struggling with a fairly simple UX problem.

------
abdusco
I welcome this change. Notification prompts have lately become the new popups.
Almost every WordPress blog under the sun now is nagging for notifications.

------
codedokode
In my opinion, notifications are poor UI solution:

\- they distract attention

\- they obstruct content below

\- they disappear quickly

Also this allows the site to monitor whether user's computer is on or off even
if all the tabs with the site are closed.

In Windows XP the way for an app to ask for user's attention was to highlight
app's button on the taskbar (it also could flash several times which I never
liked). While this is a little bit distracting too, it is still much better
than Android-style notifications. With Windows XP, you can switch to the app
when you have time.

Browser push notifications were designed with interests of developers in mind,
not with interests of users.

A better solution might be to highlight the tab that needs user's attention
and highlight browser's button on the taskbar.

On the other side, Android-style, annoying notifications might be easier to
notice and understand for users who don't understand computers well.

I think Firefox devs should also consider switching from Android-style
distracting notifications to time-tested solution from Windows XP. I don't
think the ideas from the article will work.

For example, they suggest to show an icon in the address bar but there are
already too much icons and users might not notice it. And if you allow to show
permission popup only after click, then sites will show it after you click
anything.

------
owaty
The article doesn't seem to mention this, but you can already disable popups
for notifications in Firefox.

1\. Go to Preferences, Privacy & Security

2\. Scroll to Permissions > Notifications, click Settings...

3\. At the bottom of the dialog window, check Block new requests asking to
allow notifications

The permissions already granted will still work.

------
dsign
>> Most prompts are dismissed, while almost 19% of prompts caused users to
leave the site immediately after being confronted with them.

Finally! Some numbers from a respectable source showing that most pop-us are
bad for user engagement.

------
joecool1029
god forbid you leave firefox set to never remember history, you don't get the
option to block sites forever. So every time you hit a reddit link it will
gleefully present you with a prompt about notification permissions.

~~~
ecshafer
Wow thank you for pointing that out. I have always set my browsers to never
remember history, if I want to remember it, I will use a bookmark.
Consequently Reddit mobile will totally spam me, making it even more unusable
than before.

~~~
joecool1029
Alternatively you can workaround the issue by telling firefox to delete
history on close. This will allow you to block notifications per-session.

------
caltelt
I feel like Solution 1 is pretty close to what I see as the "solution".

I think for commonly requested permissions that are not commonly accepted,
they should just use a smaller, more discreet icon for notifying the user; one
that doesn't hang down over the chrome and block/cover up the site. That way,
it can be easily ignored.

It should be more obvious than the one they're using in that solution. Maybe
something equivalent to an icon next to the refresh button or something. The
text icon they had in #1 was probably /too/ easy to ignore.

~~~
iKevinShah
As someone with "not-so-tech-savvy" users on my website, this is bound to get
ignored a lot. I have seen screenshots of my users (when they need support)
and they dont even click "Okay" on the Cookie bar (to accept cookies and
stuff) and / or any notification on the website (Not the Push Notification).

~~~
Dylan16807
Is there a reason you have a cookie bar? The idea of a 'click ok' bar should
be dead since GDPR adjusted the law. If it's not for tracking then you don't
need a bar. If it is for tracking then whenever possible the site should work
without opting in.

------
makecheck
“Reduced” should be “zero”. Prompts are fundamentally broken; they replace
simple interactions with “STOP, answer this question NOW!” scenarios. A
sensible solution would be: _automatically deny by default_ because sites
don’t really need to be asking up front! They can either give you another way
(e.g. button/field) or they don’t have business querying this in the first
place.

Simple example: On one site I used to just type in my zip code (easy but
explicit transfer of information) and it immediately zoomed a map to my
specified area. Then one day they changed it to magical location tracking;
now, before I can even enter the stupid zip code (still an option and all I
ever want), I get a “STOP! Share location!?!?” kind of interaction first. I
have to find it, close it, then enter a zip. I had the zip code in my head and
would be able to type it in a second with no delay but instead, I am
distracted. Or maybe I was copying and pasting. Everything about immediate
form access was efficient.

All prompts have this problem. The potential for a prompt out of the blue
makes direct actions slower, and any other case where a prompt might appear is
going to be an undesirable interruption telling you about things you didn’t
want happening anyway. User agents should be saying No to unreasonable
requests _for_ me, like a good manager.

~~~
ThePowerOfFuet
The difference is that the ZIP code doesn't tell them the exact house in which
you live.

------
wnevets
Good to see, I outright disabled them. Its pretty rare when I would ever want
something like this.

------
qwerty456127
I don't want to receive notifications from any site nor grant any permissions
to any website ever. Perhaps some people want to grant permissions and to
receive notifications from some websites but it seems obvious that will always
be about just a small selection of favourite websites. So I doubt it even is
reasonable to pop anything up, just make subscribe/allow buttons easy to find
yet waiting for the user passively.

------
Causality1
If I want to be bothered at random I'll install the app. This functionality
should never have been bundled into a web browser.

------
dmitriid
It still boggles my mind how over engineered that prompt is in Firefox [1].
And glad to see that the new prompt follows Safari’s simple “Allow /
Disallow”.

[1] Of course I got into a shouting match on Twitter about it some time back:
[https://twitter.com/dmitriid/status/920293887746433024](https://twitter.com/dmitriid/status/920293887746433024)
and
[https://twitter.com/dmitriid/status/920373234104700931](https://twitter.com/dmitriid/status/920373234104700931)

~~~
scarejunba
I honestly think a patch is a more productive way to deal with this if you're
a developer who wants to see the functionality.

~~~
dmitriid
What if I'm a developer who has no idea how Firefox UI works?

------
gvand
Notifications are the new popups, just add an option to disable them
completely.

------
Animats
Making the "Never Allow" button directly accessible is a big win.

------
lvs
The notification prompt should be a good lesson in feature creep for browser
vendors. Pretty much applies to all "engagement" features: If you build it, it
will be abused.

------
Vinnl
I wonder how many of the currently-accepted prompts are already in response to
user interaction. If it's most of them, then the first option would still be
reasonable.

------
beezischillin
Good. The whole notifications thing is BS as it’s used on most of the web and
is actively exploited and there’s no “don’t show this again” prompt to be
found anywhere. The only sites that do it gracefully show a cookie-consent-
like floating div that pops the prompt up if you accept it. I have honestly
been looking into completely disabling the whole thing but despite Safari
being quite good usually, there is no option to do that anywhere to my
knowledge.

------
amelius
I think there should be a difference between sites which the user is merely
browsing, and sites which a user is actively using. The former shouldn't be
able to show popups, while the latter may. Moving a website from "browsing" to
"using" state could be done with a (small) button in the top bar. It's in a
sense like "installing" an app.

------
eriktrautman
The UX pattern that should be observed is preflighting -- ask the user if they
want notifications from within the webpage (if appropriate, obviously) and let
them know it'll prompt a browser dialog. If they say yes, you're good to go.
It's an extra step that significantly improves both conversion and experience,
often used in mobile.

------
jasonkester
Global setting: “I will never choose to receive notifications from a website.”
Linked directly from that popop.

Sorted.

Chrome already does this right with language translation: “do you want to
translate this website?” “No”/“Never translate this site”/“Never translate
French”

Do that with notifications And well never need to see that prompt again.

------
kyancey
It's completely rude to send a browser notification prompt without prior
warning. The solution to this is html notification prompts that only trigger
the browser notification prompt when the user clicks on them. They aren't as
intrusive. That's what I use on my wordpress site.

------
vbuwivbiu
what I would dearly like to have is a way to disable the Firefox update
notification that pops up every day

------
EamonnMR
While we're at it, some sort of "always opt in or opt out of cookies" standard
would be very nice. I'm really tired of sites asking for permission. Forcing
companies to ask to use cookies was a mistake, cookies on/off should have been
a browser feature first.

~~~
CodeCube
It was ... it just wasn't really exposed except as "arcane configuration that
99.9% of users would never even know was there". This is why we, as an
industry need to be proactive in putting the user first in decisions like
this, because if we don't, it will get abused, and then that's when the
regulation comes (and rightly so).

~~~
EamonnMR
Tracking is the reality, cookies are merely one form of it and disabling them
does basically nothing. "Regulator mandated popup" is the worst possible
outcome.

------
gkfasdfasdf
If a website presents a pop up to me asking if I want notifications, I click
yes _then_ I click block when the browser dialogue appears. No more
notification pop ups on that site.

I realize I can categorically block all notification permissions, but there
are some sites where I want to allow them.

------
EamonnMR
Is there a plugin or setting to auto reject these in firefox and/or chrome?
Notifications are something I will never want from a website, and most of the
time its as annoying as a popup. No, random news site for somewhere I don't
live, I would not like your notifications.

------
CheckBlanket
These notifications can in a way act as a sort of adware. I had family friends
who complained of pop ups on their laptop advertising dodgy products. Turned
out they'd accidentally dismissed one of these with an OK and was being
spammed in the desktop environment via Chrome.

------
gwbas1c
IMO, it makes more sense to require that the permission prompt is tied to a
button instead of directly triggered by a script.

IE, the only way to display the permission prompt is to put a button on the
page, and then the permission prompt is only shown when the user clicks the
button.

------
Reason077
These are super annoying in Safari, too. Apple needs to take note and follow
Firefox’s lead here.

~~~
_yields
You can completely disable them for all websites, and allow notifications for
some websites.

I disabled them and never see them anymore.

~~~
dingus
I disabled the allow push notifications checkbox in Safari, but still get
prompted with the native Safari modal. I'm not sure how this is done, and it's
infrequent, but I'm guessing Safari left a hole in their notifications web API
that is being exploited.

Safari's implementation could also be improved. The modal forces you to chose
without the ability to cancel, and saves the website into your preferences,
even if you just want to immediately close the tab.

------
everdrive
First thing I do on a new Firefox install (among other things) is disable all
new requests for Alerts. I've never wanted a website to send me alerts, and
I've never met anyone who wanted them. Who is the audience for this?

------
aasasd
> _User interaction is a popular measure because it is often seen as a proxy
> for user consent and engagement with the website._

“This site uses COOKIES! Click here to brush off this interruption and be
presented with the page proper.”

------
lucaspottersky
Those omnipresent dialogs are a cancer on the web. It was the worst idea ever.

I actually can't believe the browser vendors made basically the same mistake
as the obnoxious JS "alert()"

------
otikik
I would be happier if Firefox dropped the prompts "feature" completely. Just
ignore it. Less code, less dependencies, and less hassle for everyone
involved.

~~~
andybak
And you can't think of any valid use-case for notifications for anyone?
Bearing in mind that we are talking about a huge range of potential apps that
now run in the browser?

How about communication apps? Or reminder apps?

~~~
otikik
Make the 10 users who need those install a plugin.

------
akerro
I'm still surprised µblock doesnt have a list for this.

------
h43z
The name notification permission is misleading. Because what it actually does
is run _any_ code from websites you aren't even visiting currently.

------
posedge
Nice to see Mozilla doing something against this. I've found those unsolicited
notifications to be annoying in 95% of the cases.

------
jrochkind1
OK, changing tools is painful, but I think they're gonna actually get me to
switch to firefox.

~~~
mj_olnir
It took me a bit to adjust from Chrome, but I haven't looked back.

~~~
jrochkind1
Any advice to a potential switcher from Chrome? Anything you did to make FF
more Chrome-like in any ways or whatever?

As a web dev, I'm scared of having to learn the new dev tools (I'm gonna use
the same primary browser for web dev as for everyday, realistically). Do you
use the dev tools, did you find it easy to switch there?

------
rb808
Does even know what the push notifications do? I'm too scared to ask for them.

------
aliswe
"Since notifications can be sent after you leave a site"

What? How?

------
erikbye
I just disabled 'dom.webnotifications.*'

------
ezoe
Whoever thought implementing to show every notification permission prompt to
the browser is, excuse my language, an idiot.

------
dishwasher1999
Anyone remember when browsers were just browsers?

------
mixedbit
Most sites today display cookie or GDPR popup, such sites could abuse clicking
OK or Cancel on such popup as the user action that triggers enable
notifications.

------
maverickmax90
Finally

------
ackfoo
I don't understand what is wrong with the folks over at Mozilla. Are they
stupid, or are they taking bribes?

How about an option for, "No, I don't want notifications from any website,
ever!"

How about an option for, "Don't auto-play video, including silent video, ever.
Not audio either. Never. Just don't."

How about an option for "I know what cookies are. Never, ever warn me about
them again. Ever."

I don't know if the devs are just young and inexperienced, or if they are
truly brain-damaged, or if they are corrupt and some advertiser said, "Here's
a million dollars to leave those notification prompts in, heh, heh, heh".

At this point it's like smoking in movies. There has to be some cigarette
maven with a pallet of cash going into the production office on the back lot
somewhere, because otherwise why does every young director show all the 'cool'
people puffing away on something that's going to waterboard you with COPD for
the last 40 years of your life?

Mozilla, we don't want any of that shit. Fuck that shit.

------
chappi42
Good opportunity to voice my displeasure about the update notifications!
Sorry, IT SUCKS!

It is really annoying that Firefox forces me to read about complex policy
settings to avoid this. I have reasons not being able to update on a certain
computer at certain times. (Already blocked the update checks, `# prevent
Firefox update checks 127.0.0.1 aus5.mozilla.org`, but it seems I still have
notifications).

------
jopsen
I wish Mozilla would use this as a profit opportunity.

Pay a fee to get your domain whitelisted for features like fullscreens,
notifications prompts, etc.

Part of the fee goes to handle complaints, if your site gets too many
complains or is found to violate policies your sites permissions are revoked
and you need to remedy the situation and apply again.

If Facebook can responsibly handle not sending me notifications I don't need
they won't get any complaints from me. But if they notify all users about a
useless auto-generated-end-of-year-movie they made, then perhaps they'll loose
permissions.

For certain features it wouldn't be unreasonable to require that sites are
vetted. There could be tiers related to how many uses you have, such that
small companies aren't locked out.

