Hacker News new | past | comments | ask | show | jobs | submit login
Reducing notification permission prompt spam in Firefox (nightly.mozilla.org)
777 points by barryvan on Apr 2, 2019 | hide | past | web | favorite | 260 comments

Downgrading the prompt to a non-popup icon in the address bar unless it follows a user action sounds like the perfect balance.

This won’t entirely stop sites which are properly trying to request the permission in the worst case, and the navbar icon is unobtrusive enough that if it gets spammed it’s no big deal.

Actually I think it makes sense to persistently show the notification icon in the navbar once the permission has been granted (same with mic, audio, and anything else) providing a quick glance at any privs that have been granted and an obvious way to revoke them.

The icons would then need granted and non-granted states, and perhaps even three states;

- Black : requested but not authorized

- Black with green check : granted

- Grey with red x: requested and denied

> Downgrading the prompt to a non-popup icon in the address bar unless it follows a user action sounds like the perfect balance.

Agreed. If it's in direct response to a user action (a sync response to a click or a tap on an element smaller than 300x300px, for example), I think it's perhaps more legitimate to have a more visible indication, like a strip across the top. (I'd want the element size constrained to avoid issues with sites adding `onClick` handlers to the `<body>` element or similar.)

> Actually I think it makes sense to persistently show the notification icon in the navbar once the permission has been granted (same with mic, audio, and anything else) providing a quick glance at any privs that have been granted and an obvious way to revoke them.

I believe Firefox already does this. It also shows you privileges which you've explicitly denied -- for example, if you disallow location access, you'll see a slashed compass next to the (i) button in the Awesomebar.

A nice tiling of invisible squares across the page can get around your element size restriction.

Do we even need the restriction.

We're talking about spammyness of a UI element because access requests are misaligned with user desire.

All you're saying is the site will pop up a request for access whenever I do anything, ok, how is that different to what we have no?

It's not going to be the norm, it's just going to be a few bad actors.

Doesn't mean we put up with spam everywhere else.

Aren't there already sites that show a fake permission request dialog? This won't stop them (and I don't see how you could without entirely removing the feature).

Yeah there's nothing you can really do about those as they're created using arbitrary DOM elements. This cuts back on the permission prompt spam that takes place directly with the Firefox UI.

This type of cancer is what we need in-page popup blockers for.

Mozilla has been promising to work on it and started a data collection program that I contributed to, but there are no news to share and the data doesn't seem to be publicly accessible. What a disappointment.

Nudge and you shall receive!


Thank you for contributing!


Do you have information about the progress of the project? How about a new extension that makes you click to remove the pop-up? The data collected that way could almost directly go into a neural network.

Do you happen to know whether there are extensions to automatically answer GDPR pop-ups (indeed while blocking in page pop-ups these should probably receive special treatment)?

I'm afraid this will backfire. We might see another wave of "click this icon in your browser to receive the latest notifications!" pop-ups showing up. Which would then require an adblocker to block these kind of popups.

So we use an ad-blocker to block a popup, which only appears because a browser vendor decided to hide a popup.

This is absurd.

No, that's fine. Because the "click this button in your browser" popup is part of the normal webpage DOM and can be blocked using existing tools. As opposed to this notification, which was (ab)using the browser itself to spam the user.

It’s not fine. Safari lets me disable the requests globally, which I did, because every stupid website asks for notifications permissions.

Since then, there’s a lot of in-page popups asking the same, exactly as described above. No adblocker seems to be effective against them, and writing custom rules for sites I visit once isn’t sensible use of time...

I'm not so sure. Right now, everyone uses the popup because there isn't an alternative. If there's an alternative, popup use will go down some - but how much?

> Downgrading the prompt to a non-popup icon in the address bar unless it follows a user action sounds like the perfect balance.

But where should we put these non-popups? Perhaps we could have a dedicated bar for notifications, rss, and other services that a website offers, as well as any other relevant information. That way, we won't be clogging up the address bar. I'd happily sacrifice vertical 30px for that.

A "status bar", if you will.

This is exactly the correct behavior. I've been trying to figure out if it could be enabled through an extension.

I'm a little worried that sites will all start using javascript to trigger stuff following any user action, much like a bunch of terrible sites do now with popup ads. I think the best behavior would be to only show the icon, and let sites that need it use the DOM to tell the user to click the icon. If sites want to trash their own DOM so try to get users to enable notifications, so be it, but at least this could be blocked by ad blockers. On the other hand, I don't see Mozilla doing this because they're far too concerned with discoverability by novice users.

>> Downgrading the prompt to a non-popup icon in the address bar unless it follows a user action sounds like the perfect balance.

I disagree. There should be no UI for these. A site should essentially say "click here to enable XXX" as part of the page. Anything else is essentially a pop-up. I don't want buttons or controls in my browser to be controlled by a web site. BTW that includes the back button - why browsers ever allowed sites to take control from the user is beyond me.

> A site should essentially say "click here to enable XXX" as part of the page.

Then the site will just make their own annoying popup asking to enable notifications. By giving UI control to the browser, the browser vendor can decide how forceful it should be.

> A site should essentially say "click here to enable XXX" as part of the page.

> why browsers ever allowed sites to take control from the user is beyond me.

These two statements don't fit together in my mind. Can you try to reconcile them so I can understand better what you're trying to say?

>why browsers ever allowed sites to take control from the user is beyond me.

Because users wanted sites to be able to control that?

> Most prompts are dismissed, while almost 19% of prompts caused users to leave the site immediately after being confronted with them.

Guilty. I've started taking requests for permission to send push notifications as a strong signal that I've accidentally clicked on clickbait.

It's hard to interpret a push notification as anything other than a sign that it's a shady site.

The problem is that many high profile websites behave like shady actors with plenty of dark patterns these days. Reddit is one of the most glaring examples, but even Google makes you go through hoops to tweak your privacy settings for instance.

It seems that we've gone through a strange curve, early internet (up to the early 00's I'd say) was a pretty shady place with scams and malware around every corner if you weren't careful, then we had a decade of relatively smooth sailing as things settled a bit and the players who actually provided good service managed to take over (e.g. Amazon) but now these big players have a monopoly and they are getting greedy and start becoming actively user-hostile again.

I wonder what the next step will be.

I predict the next step will be less growth-hungry sites taking over that have less VC pressure on them. So businesses with cost structures that can make a few people rich but don't need to show 140% YoY growth. Sites like craiglist, projects from indiehackers. They wouldn't nag me for push notification access – why annoy your customer when your product spreads mostly through word of mouth?

What's the logic for publishers, here? "If we add this feature, we will immediately bounce 19% of our traffic." Why would you do that? Or is this a scam thing where that 19% just proved they aren't suckers, so you don't want to waste your time on them?

You bounce 19% of your traffic but some other 30% might accidentally agree to the notifications and now you can bump your traffic every day by sending them. Those 19% are probably useless people with adblockers that never give their email or click any ads so you lose nothing anyway.

Also, you can send ads using notifications and earn money.

Probably, the ad revenue from a person who will accept push notifications and then keep coming back to the site, following links and wasting hours and hours, is worth that of many, many, many cranky people like me.

Today there is very little trust in search engines on the part of web sites so if they get a visitor today they want very badly to get a line on that person so they can keep them coming back.

That 19% of people are not monolithic. Probably some people understand what is going on, other people just realize it just another distraction, it is like having a homeless person try to sell you a macbook in San Francisco. A quality of life thing.

I have the same reaction to modal newsletter popups, or anything that blocks the content I want to see.

Most of the internet is clickbait these days.

Except for ClickHole! All that is 20,000% valid, valuable content!! cough

Serious question though: has anyone here ever used the notifications for anything other than web based IM (slack, whatsapp)?

I think the use case for legit notifications is very small, thus the UI should be an opt-in, rather than an intrusive pop-up.

I never understood why browser makers gave it such a prominent UI, and of course in this attention seeking market it was bound to be abused. The new UI that Firefox is suggesting in the article is good, this should have been like this from the first day. I hope other browser vendors quickly follow.

I have a self-hosted home automation platform with a web UI that uses web notifications for tons of things around the house (for example, a notification shows up on my device if the front-door camera notices my face, and the notification has 2 actions I can take right from the notification: "Turn on the outside lights" and "unlock the front door").

I also have it enabled for a website that sends out notifications when they go live for their podcast, the google play music site has them enabled for me to show song titles and album art when the song changes, and Circle-CI has them turned on for when builds pass/fail, but for some reason that one only works when I have the tab open...

That being said, i'm more than happy with this new UI! It's easy enough to find that sites can implement directions for users to go enable it if they want, and it's not in everyone's face for every news site that spams asking for it.

I use OneSignal on my blog (https://www.stavros.io/), which shows a small bell on the bottom right. If you click the bell, you get prompted to enable notifications for new articles. Quite a few people have done that, as it's pretty convenient if you want to be notified of new content.

Thank you for tying that to a user action, and not page load.

OneSignal does have that option, which I find supremely annoying. They should just take that out and always require you to click on the bell before triggering the notification.

Hopefully, with this browser change, they will.

I was part of a team that used web notifications as an experiment in sending live election results to people's devices:


It's a pretty fascinating feature set. You can attach images, update the content of an existing notification, attach buttons to perform custom actions, choose to make it silent or not... I think there is more utility than most implementations in the wild would suggest. One fascinating aspect of it for me is that you can do very time limited things (e.g. send election results) - users might be reluctant to download an entire app just for one evening of updates, but being able to send notification through the browser sidesteps that entirely (and more broadly, it puts a useful tool in the hands of people who can't afford native development).

That said, I agree that it's total madness that the default UI allows you to ask for permission on page load. We always had the prompt behind a button on the page and it worked great, so I think Mozilla have the right idea here.

I agree with you sooooooo much! Those popups are extremely annoying and mostly used on useless SEO blog traps. The whole notification UI should be much less prominent. If you really want to enable those notification, they should let you opt-in

Nope, IM is my only use case too.

It's actually really irritating the number of random websites that immediately popup an obtrusive notification prompt - I can only guess that they are hoping people accidentally click on the wrong button, and don't know how to disable it...

I've used it for letting customers know that artwork is ready for approval on a custom printing site. We give them the option of notification between email, text, and browser notification and our artists average creating a proof for approval in under an hour. Last time I checked, we have about 5% of people opt for browser notification only which is higher than I expected.

I wish GitHub had web push notifications. I'm happy that Reddit has them, but they barely work to be honest. Sometimes it seems to work, most of the times it just doesn't.

GitHub has an API which you can use to subscribe to them.

I know that's not what you're asking for, but it's something to build upon.

I know and I've been thinking about making it. Though I feel like it's not worth it. I would rather spend my time working on something that other people can use as well. I don't think many people are interested in a small app that only does GitHub notifications.

Yes, calendar apps like google calendar. Push applications like Pushbullet for Android. But I think your point remains... there are only a few good reasons for notifications.

> Serious question though: has anyone here ever used the notifications for anything other than web based IM (slack, whatsapp)?

I'm building a tool that uses browser notifications to ping when something new is created. It only asks for permission, when a user clicks the button which is clearly labeled to "setup browser notifications". It also sends only 1! notification until the browser tab is opened again, to not spam.

Judging from the responses, I think the reason is that browser vendors want browsers to stay relevant in a world of Apps.

At least one forum uses them to notice followup posts https://devzone.nordicsemi.com . It's redundant in that the forum can be told to notice by email.

Looking at my permissions, it'd only Mastodon/Pleroma instances and chat. The other 80~90% of sites that request permissions are blocked.

The most annoying are news/blog sites. Who the hell actually clicks Allow? Like 1%? 2%?

According to the article, overall acceptance rate on the notifications popup is 3%. But that will include legitimate notification requests like Gmail, Discord, Slack, etc..

That also includes people that just randomly accept any notification their computer gives them. This is older people who don't understand the specific permissions they are granting.

There was one time I was clicking on a navigation element right as a popup for notifications popped up and i accidently clicked it. I immediately went in and reverse the permission to block access, but I am sure there are use cases of accidental acceptance as well.

So considering all of that. My guess is that real intentional adoption is below 1%.

This is an occasional problem I've had on multiple platforms (Android/Windows OS, browser UI, ZoneAlarm way back when, etc). Why is it not yet a thing to ignore the first click within 50-100ms or so of a dialog popping up? Especially on desktop where you can find out if the cursor was already in place before the pop-up showed.

I'd imagine a lot more than 1-2%. Watching my Father use his phone the other day and he just says yes to every single thing that pops up without reading it first. I imagine a lot of the older generation are like that.

Gmail and G-Suite (professoinal Gmail) allow useful notifications. But those notifications only popup while a Gmail tab is open (such as in the background or not visible). So I like to open gmail while I am waiting for an email, I will get the notifications, can read the email, then close that tab and notifications are no longer arriving. One of the very few use cases for notifications that I appreciate. I have the same setup for Slack & Discord online versions.

Used them for paging/escalation systems (VictorOps, Pagerduty). Agree with all you wrote though, these are very niche use cases.

I clicked "accept" on about half a dozen of these from news sites sometime back just to see what would happen and I never got any alerts. I suspect sites enable it just because their news platform has a checkbox for it, then never send anything out because the acceptance rate is so low (or it would take more effort than checking a box).

The issue is that people will overlook it on IM sites now and then complain that there is no way to get notifications without an app.

So, the browser vendors worked around this by making it prominent. I think the interface was actually pretty reasonable for these legitimate use cases.

Unfortunately, reasonable tools that capture traffic will always be abused.

I would not like to use notifications for anything, including IM. Sometimes I get a lot of messages and I don't want them to distract me all the day.

A better idea is just to highlight the program in the task bar, as Windows XP did. In this case you can view the messages when it is convenient for you.

We use them at https://hund.io for notifying of a change on a status page (we're a status page provider). Users have to subscribe to push in order to be prompted by the browser for permission.

Our deployment tool at work sends you a notification if the deployment failed

I've seen some sites that do long tasks use them to alert you when the task is finished, so you can do something else while waiting and not miss when it finishes.

I use them for following YouTube channels that I like. I suspect many people would do this.

lichess, a chess website, uses them so you can tab away while waiting for a game to start.

I use it for calendar notifications.

gitlab and some internal sites

It's insane that the two visible options are "Not now" and "Allow notifications" while 99 percent of the time I want never bother me again, in fact disable this feature entirely. I clicked yes exactly 3 times (my own Nextcloud instance, Protonmail and Whatsapp web), I'd be happy to do some more clicking to enable those at the "cost" of never being bugged again.

> It's insane that the two visible options are "Not now" and "Allow notifications"

I agree the “Never” option could be more visible for some prompts, like notification.

For other things, like location data, where temporal access actually makes sense, I think making the “Never”-option less susceptible to accidental/blind clicking is a good idea.

Then "Allow" should be less susceptible as well.

I was beginning to wonder if I can disable globally by default and have no popups, just manually enable it for a specific site if I want it badly enough (I don't think I ever will anyway).

Of course then they'll start showing weird UI pop ups to enable stuff, but if websites ever do that I will close them as I do with sites that tell me to disable adblock, the last few times I ever got malware on my system was due to ads, I am NEVER turning off adblock. This was many years ago, now I only download FLOSS just to keep it that way.

Open Preferences and search "Notif". There's a blascklist/whitelist and a "no, and don't ever ask" checkbox.

I've always loved digging into the settings when I get a new web browser, IDE, or whatever. I know a lot of people don't bother configuring their software, but it just makes me shudder to imagine living with whatever defaults the vendor sets.

User script that overrides the API to noop. :)

I'm just bummed the old greasemonkey site is gone (or whatever it was called), it feels awkward trying to find scripts now.

I'm even more bummed the old stylish plugin was really malware


Eventually, it wasn't always so but yes that's disappointing.

This is a valid point. I just took an inventory of all the notifications I have opted into. For me it is Gmail, Discord, Slack, and a custom built admin interface I use for work. So I have accepted 4 out of the hundreds (or thousands) of notification prompts I see every year.

Making it opt-in would still allow valid use cases for notifications, while not annoying users as it has become for sites that are just hoping ou would break down and accept.

I also hate that the only "negative" option is "not now". Why is there not a "never allow" option?

It's such a passive agressive tactic. It boggles the mind that it's the browser vendors that implemented it. Google spent years blocking popups to the point where I never get them anymore, which is amazing, but clearly they learned a few nasty tricks along the way.

It's not passive.

There is one more reason why the acceptance rate of notification prompts is low (3%), other than the two points mentioned by Mozilla.

THAT reason is that simply people do not want to be notified. They value their attention in these times of constantly being bombarded by attention seeking prompts, ads and notifications, that if asked, people surely chose not not being bombarded more.

I’d say Mozilla is right in their wording. Your point here is also included in that - if websites showed the push dialog responsibly, it would be for example in the website settings after the user checked a box called “send me push!”. Many good web services do it this way, and if done this way I suspect the accept rate is closer to 100%.

Some people might want push from news pages, but 97%+ don’t, so it makes no sense to request it immediately.

They probably even lose subscribers. Someone who read some content and liked it, decided that they want push may have already opted out because they didn’t know the site yet.

This “feature” is abused terribly around the web. For every site with useful notifications like gmail, there are 10 which misuse it. Yesterday I had the misfortune of misclicking on the prompt from a website. I started getting notifications like “YOUR COMPUTER IS INFECTED WITH A VIRUS”. Turning off notifications for that website took at least 4 clicks through Chrome settings. Good to know there is a setting to turn it off completely on Firefox. If I personally actually wanted notifications from a service, I’d install the mobile app.

Second, Mozilla seems to use telemetry data responsibly and well. Turning off notification prompts by default can’t possibly be done unless you have the data on acceptance rate on different types of prompts. If you’re making such decisions based on your intuition you’d likely get it wrong.

I ask the folks on HN who constantly criticise the collection of such telemetry, what did I lose as a user when Firefox collected this anonymised data? More importantly, how would you have made a decision here without the data? Intuition? (I’d request that no one reply with platitudes like “with enough data nothing is anonymous” and “you’re making a nothing-to-hide argument”)

I like the Firefox approach. Nightly collects a lot of data (because you're a power user that want to improve the browser). Regular release collect a lot less.

This is the reason why windows doesn't let you opt out- power users would opt out.

Case in point - jump lists were removed from start menu.

That said- why treat regular users unfairly by not optimizing for their use cases too?

I don't see how this issue has much to do with "fairness." There's no reason that any organization must treat its audiences identically.

>This “feature” is abused terribly around the web. For every site with useful notifications like gmail, there are 10 which misuse it.

I think you're off by an order of magnitude there. It's at least 100 sites that misuse it for every legitimate one.

Yes I think that 1/100 is a more accurate ratio. I have only accepted 4 notification prompts and I know that i have encountered more than 400 that I denied.

Can't you also block it completely in Chrome and whitelist some websites? Settings -> Privacy.. -> Content Settings.. -> Notifications (Blocked)

I haven't seen any prompts since I changed that. Although I don't use this feature at all.

I think the bad thing is not telemetry itself but the fact that it is silently enabled by default instead of asking the user whether they agree to it. Make it voluntary and there would be no problems at all. I didn't ask for this feature.

Also, one doesn't need telemetry to notice how notifications are abused on the web. You can just start a browser, visit top 1000 popular sites and count how many of them show the popup.

Also, it seems like everyone tries to abuse notifications. For example, Youtube app shows a notification when the channel you are subscribed to releases a new video. Is it so urgent, that you need to distract the user? They could show this information when the user opens the app.

> Make it voluntary and there would be no problems at all.

Unfortunately that would make the telemetry non-representative. That said, it is opt-in when possible, if you consider "using Nightly" as opt-in (it's clearly explained before and after installing Nightly).

> You can just start a browser, visit top 1000 popular sites and count how many of them show the popup.

That doesn't tell you anything about what behaviour led up to a permission request that got granted vs the 97% that got ignored. Furthermore, it wouldn't have told them that the notification request is denied far more often by users than the webcam/mic request.

> Also, it seems like everyone tries to abuse notifications. For example, Youtube app shows a notification when the channel you are subscribed to releases a new video. Is it so urgent, that you need to distract the user? They could show this information when the user opens the app.

It would be nice to have data on when users revoke permissions again as well, indeed.

Have you used Firefox? A notification about telemetry is shown on-screen the first time you launch it, including a link (or maybe button, I forget) taking you to the settings page where it can be disabled.

If you're talking about telemetry collection in general, and not specifically Firefox, then nevermind.

I don't find telemetry bad in any way, provided that it is non-identifying telemetry, so I don't mind that it's on by default. There should always be an option to turn it off for those that want to.

Many, many more applications collect telemetry than people suspect, and for every application you know of that collects it, there are a dozen that collect it without telling you.

You are right about notifications being over used. We've all gotten notification fatigue, now, because every website thinks it's own notifications are super important. I want notifications when major news events happen, when my wife texts me, and for nothing else. I do not, and will not ever, care to be notified the instant a website has new content.

>Turning off notifications for that website took at least 4 clicks through Chrome settings.

It's actually just three clicks, and you can do so from the page itself. No need to go into settings.

Click the Lock icon left of the omnibar. On pages that request notification permissions (eg. reddit), you'll see a toggle for it. Along with any other permissions requested.

But you have to make only one click to agree to the notifications.

Yes, or one click to disagree. What's wrong with that approach?

If you like it, feel free to enable telemetry. But why force me to enable it as well?

Exactly for actions like this which they've done in the post. Would you prefer a more obvious switch on setup?

I don't agree with that thinking. I can say the opposite. Why did someone enabled the notifications feature globally? Was it based on intuition? Then they are wrong, they are actually. They should collect data from all people before inserting any such "features".

What? You want them to “collect data from all people” on how they use a feature right now ... before adding the feature? How would that work, exactly?

> they are actually.


I don't want that.

The previous comment said that if it's not based on telemetry, then the intuition based decision is wrong. I am suggesting that if that's the case then we have to use telemetry before implementing everything. We should never have any feature without telemetry confirming it first.

>I ask the folks on HN who constantly criticise the collection of such telemetry, what did I lose as a user when Firefox collected this anonymised data? More importantly, how would you have made a decision here without the data? Intuition? (I’d request that no one reply with platitudes like “with enough data nothing is anonymous” and “you’re making a nothing-to-hide argument”)

You don't need telemetry to find out that notifications get abused like that.

No but you need telemetry to find out how users react to abusive notifications and how they interact with websites where they do genuinely want notifications from. You can't just guess that.

>you need telemetry to find out how users react to abusive notifications

You need telemetry to find out how users react to abusive notifications? Wow. I know that A/B testing is in vogue, but can’t they just use some common sense?

People despise abusive notification prompts.

People despise abusive location prompts.

People despised abusive popups to the point that every browser blocks them and websites started emulating popups via CSS to keep abusing their users (hi Medium!).

  You need telemetry to find out how users
  react to abusive notifications?
I run an ad blocker, so my perception of notifications is they're used for things like breaking news notifications on news websites [1]. That's not a feature I personally need, but 24 hour news channels exist so presumably someone feels they need regular news updates.

So no, it's not obvious to me everyone dislikes notification requests, even if I have them all blocked myself.

If you let curmudgeon developers like me dictate products' features sets based on intuition, there'd be no HTML e-mail, no third-party cookies, no WebGL, no emojis, no WebUSB.... :)

[1] https://www.wired.co.uk/article/push-notifications-breaking-...

And what a world we would live in!

When is a notification prompt abusive? What rule do you need to distinguish a non-abusive prompt (for example a chat program wanting the ability to notify you or a GPS-related map on a website) vs an abusive prompt (newswebsite wanting to spam you or a tracking tool using GPS).

Common sense doesn't work here because everyone has a different perception of when these prompts become abusive or unwanted. Mozilla uses the data collected to determine how they can establish a rule to distinguish between abusive prompts and non-abusive prompts.

How users react to them is a good indicator if the prompt was abusive or not, most people will decline abusive prompts and accept good ones.

A simple "wait until first DOM interaction" will likely be not sufficient since a simple click on a text would then create the prompt. With more data you can determine a better rule.

That people despise these prompts is fairly obvious and exactly why Mozilla is collecting the data; they want to help people by establishing a good common ground rule for these notifications to be automatically blocked.

Unfortunately we are living in the world where the common sense is wrecked. People do complain if abusive notifications are blocked and websites are rendered unusable as a result, though it is completely the fault of websites! Keep in mind that browser vendors are trying to solve multivariate equations that involve users, web developers, companies, abusers and crackers...

You're making an assumption that their decision was based on data they collected. Not worth discussing data privacy with you over that-- they may have very well done simple user testing or done it on a whim of a few users that put a good case forward.

From the article: > According to our telemetry data, the notifications prompt is by far the most frequently shown permission prompt, with about 18 million prompts shown on Firefox Beta in the month from Dec 25 2018 to Jan 24 2019. Not even 3% of these prompts got accepted by users.

The decision seems very clearly based on the collected data.

No it's not, they quoted some telemetry but the feature and decision may have been decided way before then. The data may only be a justification for it.

> May have been

That’s a huge assumption. I’m going with a smaller assumption that Mozilla wouldn’t publicly lie for no obvious gain.

Well, there is little proof that they decided something and then went looking for data unless you can find some statement by mozilla that supports your theory?

He's also failing to acknowledge that using telemetry in a constructive way does not preclude using that telemetry in a malicious way as well.

Firefox’s source code is open. So is Visual Studio Code. Could you please tell us what is collected that could possibly be used maliciously?

You can get started here - https://github.com/Microsoft/vscode-extension-telemetry and https://github.com/Microsoft/vscode

I didn't say that I believe it's being used maliciously. I pointed out that "Second, Mozilla seems to use telemetry data responsibly and well." is an assumption that can't be justified by observing publicized uses of the telemetry. It presumes that published uses of telemetry encompass all uses of telemetry.

I have no reason to look at Mozilla's source because their stated policy already admits they collect information that could be considered sensitive, under certain circumstances:

> Category 3 “Web activity data”: Information about user web browsing that could be considered sensitive. Examples include users’ specific web browsing history; general information about their web browsing history (such as TLDs or categories of webpages visited over time); and potentially certain types of interaction data about specific webpages visited.

> Pre-Release: May be eligible for default on data collection, provided there is an opt-out.

> Release: Default off. On a case-by-case basis collections may be eligible to be "default on" if mitigations are identified. Mitigations may include UX changes that make users aware of additional risk, technical mechanisms that remove the risk, or a risk assessment done of a case-by-case basis that determines the risk is limited.

So here we have mozilla admitting that their default-on telemetry in pre-release copies of Firefox may include browsing history. This is information that COULD be used improperly. That's not to say Mozilla is, but confirmation that they aren't would require independent audits of the organization and their security practices. Simply reviewing their press releases is not enough to conclude that they haven't misused sensitive information.

(Frankly I don't give a damn about VSCode, at all.)

I think the important point is that software developers prefer to enable telemetry silently, without even notifying the user, let alone asking for a permission. If they think that telemetry is so useful, why not ask the user about it?

Firefox does notify the user, along with a button to disable it.

I don't disagree with you but this is a discussion about Firefox, what does Visual Studio Code have to do with anything?

It's a discussion about opt-in telemetry (that I started). I pointed out VS Code as another example of an app that gets a lot of hate on HN for using opt-out telemetry.

> Firefox’s source code is open.

So is its telemetry data: https://telemetry.mozilla.org/

I'm still shocked that anybody thought the first generation implementation of this (in any browser, not specific to Firefox) was ever a good idea. I can see making the request visible to the end user, but... as a dialog? Why?

At least make it a narrow bar across the top/bottom that doesn't obscure web site content and can be easily ignored. Perhaps better would be to make it a button like there is a button to favorite/bookmark a site. A dialog isn't even near the top of the list of good designs.

Agreed completely.

- Why are dialogs still a thing?

- Why is stealing focus still a thing?

Browser makers, operating system manufacturers: Stop it. Dialogs are hot garbage, and users ALONE should have control over input focus. If you need the user's attention flash/animate.

If you cannot make a thing without a dialog, focus lock, or focus theft then maybe the thing you were trying to make was inherently a bad idea.

Windows is terrible at this. I was running the Visual Studio Installer in the background and it stole key-input focus dozens of times, often going to black dialog boxes that immediately closed leaving focus on nothing.

Firefox and Chrome don't steal focus in this dialog. It's not modal either.

Firefox absolutely steals focus for this permissions dialog, as recently as AFTER you made that post (Firefox 66.0.1).

Can't reproduce. Tried stern.de, Firefox 66. Scrolling with keys still works. I tried clicking the search as fast as possible before the permissions dialog comes. Key input still works after dialog appears.

I had no idea wth you were talking about until you mentioned Visual Studio Installer, then I knew immediately what you meant.

This is a huge problem for Windows and Mac.

Open notepad. Press a key over and over. If the key-press stops going to notepad then focus has been transferred/stolen. Firefox's Notification Permission dialog has this behavior within the browser.

For example go to Reddit or Facebook, start entering text, the notification permission dialog will appear, steal focus, and now your key-presses go into a black hole.

The whole concept of focus-theft is an anti-pattern. Interestingly one mobile operating systems originally designed out but has slowly been creeping back in.

Every time it happens, I feel like Charlie Brown trying to kick that football: https://peanuts.fandom.com/wiki/Football_gag

Steam also has this problem in Linux, though that's the only program I can think of. Opening Steam results in three different windows stealing focus in sequence for no other reason than to tell you that Steam is in the process of opening.

4 for me. Updating, logging in, the client, and the ads.

I removed it from my panel just so I'd stop waiting for these if I misclicked it.

Software on Linux is not always better. IntelliJ for example took focus two times on startup for a long time.

For years browser vendors have displayed little yellow infobars at the top of the screen related to page functionality. These were visible enough but didn't demand immediate action in the way a dialog taking focus and overlaying the browser chrome and page does. Browser vendors had better UX options to choose.

And push notifications definitely fall into the "this is something you might wish to do to enhance page functionality" category rather than "this is something the browser needs you to action" category associated with dialog boxes.

As long as the websites that request the permission have a legitimate reason to show notifications, a dialog is actually a good idea - it makes it easy for users to enable notifications, whereas a toolbar button would be easy to miss. If browsers had anticipated every random news site asking to show notifications, I imagine it would have been designed differently.

No, it's not.

Currently on legitimate and decently built sites I get a custom JS modal popup that asks me to accept the location request before they even request location access. They do this because otherwise their location request gets dismissed by users out of habbit and then people don't know how to reenable it.

It's shit UX.

Notifications and always on location access should be a bell icon in the url bar. Think YouTube notifications.

On top of that, there should be a "use location" html element that sets it's value to the current location when clicked. It would also be nice if that threw up a warning when proxy settings are detected.

I think this bell meme is less widespread than you think. I can't imagine the people I know concluding that the notification permission is hidden under a bell icon, let alone find it intuitive.

Au contraire, i think the bell meme is more widespread than you think. Taking India as an example, the lower levels of literacy has actually made video content the primary form of online content. And with youtube being one of the major portals of such content and with every youtuber in every corner of the globe nagging subscibers (in their native language) to click that bell icon i think it has already spread to a large demographic.

I wasn't claiming it was well known, in this case I don't think it matters. I assumed anyone that really cares would throw up an arrow and some blinking text pointing at it. Yes, this will be ugly, just like every site I visit asking if they can send me private messages whenever they want is ugly.

That said, the bell icon not being intuitive doesnt stop YouTube.

Likewise, channels switched to "like, comment, subscribe, and don't forget to hit the bell." Literally overnight.

I just see this concern as a non issue.

Also because some browsers once you deny you can't re-request. but you can show as many html 'overlay prompts' as you want

It is literally being used to abuse less tech literate ppl (elderly, children, non english speakers, non-tech savvy people, people from third world countries).

Such people just click yes yes yes to these popups without reading them (thinking theyre EU cookie, T&C, privacy prompts, etc). Its a prime vector for malwartisements these days.

Didn't they? It sounds strange to assume that nobody ever wondered how this feature might be abused - it's not like that hasn't happened before in the history of browsers.

I find it particularly weird that Firefox has that great annoying popup for notifications, but reports suppressed pop-ups with an obvious but unobtrusive top bar. Why not use exactly the same construct for notifications?

it seemed more a protest to having to. as is it is bad and i could not believe the way they did it.

Just a couple weeks ago i was helping "disinfect" an android phone for a acquaintance (shopkeeper) here in India.

The "virus" in question was chrome notifications for spam/porn/malware probably from malvertisements embedeed in some websites. It took me several minutes to locate and disable them. You would think that chrome on android would give an option to disable an offending notification from the notification bar but no, you have to go digging in the chrome settings and scan through the permission list to find the offenders.

While i certainly think it is a useful api needed for the free web(i still prefer websites over apps which are essentially websites with undeleteable hypercookies), Mozilla and Google need to do a better job protecting the literally billions of people who are less literate (either in tech or english) from the cesspool that is online media.

It would have been better if the notification API never existed and RSS had become the de facto standard for subscribing. The only good use for a notification API is urgent information, almost nothing on the internet qualifies. Giving everyone the power ruined the whole thing.

Yeah the only thing I think it's actually useful for is chat apps -- and for the ones I use frequently I ended up downloading their electron app anyway

It's also nice for Google Calendar notifications.

Convenient, but anything truly important requires multiple forms of notification anyway since you might not be in front of your browser. I usually set sticky reminders (e.g. order more contacts) to send an email, and do-it-now reminders (e.g. ZeroPage Homebrew is live on Twitch now!) to both email and SMS. Browser notifications are pretty redundant after that, but nothing's wrong with having multiple fail-safes if you're really paranoid about forgetting something.

Good work from Mozilla, but it won't help prevent those sites that pop up a HTML modal asking you to subscribe by email AND then a few seconds later pop up another HTML modal asking to send you notifications to keep you up to date AND then sliding in something from the bottom with "relevant" posts AND maybe also slide something else in from the top or sides with some other thing that just ends up blocking the content you're actually interested in reading....

I opened a medium post the other day from my phone that did all this stuff. It was amazing - there was a bar up the top asking me to install the medium app. Then another bar below that asking me to subscribe to the author or something. Then a call-to-action pop-over on the bottom of the screen asking me to join a mailing list or something.

Only about 1/4 of my phone screen was left displaying the content - which wasn't even enough space to see the post's title on my plus sized phone.

I closed the tab, because who has time for that?

I can never tell if websites don't know how many people get turned away by how awful their websites are, or if they know but figure its a good deal. (Maybe medium figures an X% drop in blog engagement is worth it if a few readers join their mailing list).

In the meantime I'd like it if all browsers added an option to automatically block all website notification requests. Firefox does this, and its great.

Back in the 80s I used to read Texas Monthly magazine. It had a lot of good writing (still does). But I had to quit when they started putting the table of contents after 30 pages of ads. Worse, every issue contained 2 or 3 scratch-and-sniff perfume samples that made the magazine reek like a bordello.

We're kind of at that stage with the web now. There's no perfume (yet) but there are auto-play videos. (Thank you Mozilla for fixing these.)

> I can never tell if websites don't know how many people get turned away by how awful their websites are, or if they know but figure its a good deal.

Having been told to implement aggressive exit-intent overlays on sites: I'm pretty sure it's the latter. A substantial amount of people don't bounce if you throw an annoying "do you really not want to know this secret?" overlay at them with an option saying something like "OK YES I WANT TO KNOW". I hate sites that do it, but for most sites, it's not tech-adept power users that make up the audience.

My favourite thing about using 1Password to store my credit-card details is the number of times I've gone to pay, started moving my mouse to the 1Password button, and the exit-intent fires and gives me a discount I wasn't expecting.

Fyi, you might like, Firefox + ublock + annoyances list on mobile fix most of this garbage.

What is "annoyances list" ?

EDIT: Oh, right, inside the ublock options.

A filter list targeted at removing annoyances. There's a few around, https://github.com/yourduskquibbles/webannoyances is a popular example.

Right, I found a couple inside the "3rd party" tab in ublock. This is great! Thanks.

"'3rd party' tab"?

What is your version of uBlock Origin? That tab was renamed "Filter lists" a long, long time ago.

Don't forget the chatbot. "Wouldn't you like to ask me a question?" in a modal dialog that covers 25% of (what's left of) the content.

No. I don't want to ask you a question. You're a robot in the uncanny valley of English, and you're annoying me.

Thank goodness for the Kill Sticky bookmarklet. I could not surf without it nowadays.

I'm not sure if they're still actively working on it, but Mozilla at least intended to find a way to block those as well: https://addons.mozilla.org/en-US/firefox/addon/in-page-pop-u...

I've found that the "Kill Sticky" bookmarklet works wonders for obliterating most of these in a single click.

I don' think Mozilla can stop terrible websites from being terrible. You'll just have to visit better websites.

Imho only Google can solve that. Give sites that do non-interaction overlays -100 and it will be a thing of the past.

A couple of weeks ago I had a site that simultaneously showed me an extra-wide cookie bar, a notification request, and a greyed out screen with a half-screen "Disable Adblocker" request. That was two-thirds of my entire laptop screen devoted to popups I didn't want!

NoScript fixes a lot of this crap. If you want to deal with less breakage you can use the uB:Origin element zapper to remove annoying overlays.

I just close the whole tab and never visit again if that happens...

I love the satirical version of this bullshit that http://n-gate.com/ uses.

Maybe I missed it but I don't see a discussion about how the majority of sites are actually showing a "pre-prompt" for notifications before triggering the actual prompt from the browser. This is similar to how apps ask you to rate them using some internal UI and only if you rating is the desired one (5 stars) send you to the app store so you can rate them there.

With the notifications a 3rd party script is used to display a Yes/No prompt for notifications and only when you click yes on that prompt it triggers the browser's yes/no prompt. This allows the site to show you the notification request on each session while if they used the browser's native prompt they could only show it once.

This is similar to how many iOS apps have gone to now. When iPhones first allowed permission prompting, every app used to just spam every permissions prompt as soon as you downloaded the app, hoping you accepted a few of them.

Now I have noticed apps are showing in-app prompts that say "We need your location in order to quickly find rides near you. Do you want to allow location access now?". This then prompts the actual iOS permission prompt to show up if you accept.

>>the majority of sites are actually showing a "pre-prompt" for notifications

Do a majority of sites do this? I have never seen it, but have seen the browser notification prompt several times

I'm in ecommerce so I visit a lot of online stores. I'd say about 80% of them are doing this.

The giveaway is that the arrow doesn't actually leave the page and overlap the status/url bar. It's pretty subtle

I have seen this. For example, some online shops, newspapers.

Websites should not ask users for permission notifications. It only annoys the people using it. It is a bad idea!

If users are interested enough in your content, they will find a way to opt-in for notifications like email; an opt-in for notifications button or even RSS. Why would website owners assume that users want to get notifications only after 5 seconds of visiting a random site?

Some of them do have legitimate uses, like chat apps (messages.android.com for example). Otherwise though I do agree that they are a fairly bad idea.

Even then, notification permission should not be requested without some sort of prior input from the user. A simple red bell icon with the hover text "enable notifications" would work so much better than the user being assaulted with the dialogue box right away.

It really is a shame to see how terribly these permission requests have been abused, especially by news sites. I see this is a push for engagement by management, and not sufficient pushback from developers against this dark pattern.

This is not a difficult feature to implement well, and we should know how to do it properly after years of mobile permission request design.

Yeah, it should require user interaction to trigger the prompt. In fact, some of the better websites do this already.

This should be the same for nearly everything, like:

- playing video/audio automatically - location access - direct GPU access

In fact, it would probably make sense to include all scripting (JavaScript and web assembly).

To make this suck less, the website should be able to request multiple permissions at once, with each permission able to be granted individually and websites able to put a short reason why each is being requested. Those permissions should show up in an easy to use menu for each site, like the TLS info button. Perhaps that same menu is the only way to enable/disable, so no popups, and all permissions are disabled by default.

Yea gitter is the only website I've given this permission to. It makes the user experience much better and so far they haven't abused it.

I'd add lichess.org as an example of well used notifications - telling you the opponent moved.

Pokémon Showdown uses it for both – telling you your opponent moved, and message notifications when used as a chat app.

It doesn't ask for the permission until you start a game or send a private message, though. I think the original version of the spec required an interaction before the permission prompt when I implemented it – I'm surprised the restriction was removed.

There are certainly a few legitimate use cases. There should be an enable desktop notifications button or something similar in those cases.

I almost wonder if sites are hoping people will enable notifications by accident, and then read the content after getting notified. I know at least a few people who've clicked the "allow" button by mistake, and then couldn't figure out how to turn the notifications off.

That's certainly the logic, no doubt about it.

A do appreciate that browsers provide a standard way to ask for these permissions. For instance, I deny most of the "know your location" queries, but it is not infrequent that I do wish to use a Web service that asks to know where I am.

Pop-up is a bad way, the above proposal for (admittedly some more clutter) buttons in address bar is better.

Notification requests are really saturating my patience. I appreciate the Mozilla/Firefox efforts for creating a user-first browser, with this and past features.

I always avoided (or at least I try not) to provide any telemetry data, but in the case of Firefox, if these are the kind of improvements we may have, maybe I will opt-in for anon telemetry.

Is the voting-with-your-wallet era moving into voting-with-your-telemetry era?

It has always been that way. If you had one of these boxes that measured the channels you watch on tv, you had much more influence on what’s going to be on next year than other people. If you fill in an (anonymous) questionnaire about politica issues you have more influence on these issues than people who just cast one vote.

I think that no matter what solution the browsers decide on, we will always have to fight the “pre-permission prompts” from websites. These are the homemade prompts in JS and html that the sites pop up that essentially ask if you want to be prompted for the real permission. Once you click accept on their dialog, they hit the real browser api to show the native dialog.

I actually mind those a lot less, since these prompts can be used to properly set expectations about how the notification permission will be used.

Or at least, I mind these a lot less in theory, since it feels like they're rarely implemented this way. It's a golden opportunity for app developers to explain why they want to send you notifications, what benefit you'll get from it, and how often you should expect to be notified, and recipe sites are using it to trick you into effectively signing up for a mailing list.

At least those can be blocked with adblockers.

Yes! I hate the notifications prompt showing up on the landing page of a website. I definitely support the browser blocking nuisances until there's user interaction, things such as: sound, videos, popups, and request for permissions.

It's slightly unfortunate that after reading this I went to https://developer.mozilla.org/en-US/docs/Web/API/notificatio... to read up about them, and immediately got an unsolicited "allow notifications?" prompt.

To clarify: MDN in general does not ask for notification permissions.

However, it does execute code samples on the page.

That page has a code sample for requesting permissions.

Well, what's good for the goose.

Hmmm - I can see how this is a good thing for the notification permission (there are far too many news/blog sites starting with that request) - but it looks from what they're saying that microphone/camera will still use the old method. Won't that be a bit confusing?

As an aside I've often wondered why cookie permissions couldn't be moved to a similar model? It would create a much more consistent experience instead of the popup insanity we currently have across Europe...

Use this for the cookie permission popup nonsense: https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...

About time. Introducing a feature like this without a "Go away, and never come back!" button was a big UX fail IMO.

On a related note, seems like desktop notifications would be a great venue for remote code exploits. Have there been any yet?

Under the big arrow next to the "Not now" button is a "Never on this site" button, of that's what you mean. Otherwise there is the settings item (which, admittedly was added recently)

I don't want a "never on this site" button, I want "disable popups forever and don't pester me again". Glad this can be done in the settings now.

As a user, I don't even really understand what a "notification" is but it sounds annoying. I don't think I've ever allowed them when prompted. I didn't realize until reading this that I could disable these prompts entirely, but I have just done that.

Straw proposal: Get rid of the whole system of permission prompts completely and instead introduce a special input element for each permission.

Example: Instead of calling a JS API to show a prompt for push notifications, you'd embed an [input type="push-permission"] element in your page. This element would render as a special button that grants you the permission once the user clicks on it.

However, embedding it into a context where the user would actually want to click it, is your responsibility.

It would still be possible to spam the user with "self-made" overlay popups, but this is already possible today. The button would also need protection against clickjacking, which, I think, can be done by restricting how it can be styled or layered.

This will only result in people finding clickjacking methods to trick you into pressing. I would prefer that you can only trigger the request (using JS) on a top-level click-event, similar to how audio works on iOS (maybe Android too?).

I feel that browsers are really getting permissions horribly wrong. The prompts often look very similar to each other (no icons) regardless of what they are for. Some permissions are detectable, others are not. When a site tried to use a function that's blocked, the notification in the browser is often easy to miss, leaving users wondering why the functionality isn't working.

If it were good:

1. Users would be very aware of the request or attempted use for any permission.

2. Users would be able to easily ignore that request without the permission prompt interrupting them.

It seems that browser vendors are struggling with a fairly simple UX problem.

I welcome this change. Notification prompts have lately become the new popups. Almost every WordPress blog under the sun now is nagging for notifications.

In my opinion, notifications are poor UI solution:

- they distract attention

- they obstruct content below

- they disappear quickly

Also this allows the site to monitor whether user's computer is on or off even if all the tabs with the site are closed.

In Windows XP the way for an app to ask for user's attention was to highlight app's button on the taskbar (it also could flash several times which I never liked). While this is a little bit distracting too, it is still much better than Android-style notifications. With Windows XP, you can switch to the app when you have time.

Browser push notifications were designed with interests of developers in mind, not with interests of users.

A better solution might be to highlight the tab that needs user's attention and highlight browser's button on the taskbar.

On the other side, Android-style, annoying notifications might be easier to notice and understand for users who don't understand computers well.

I think Firefox devs should also consider switching from Android-style distracting notifications to time-tested solution from Windows XP. I don't think the ideas from the article will work.

For example, they suggest to show an icon in the address bar but there are already too much icons and users might not notice it. And if you allow to show permission popup only after click, then sites will show it after you click anything.

The article doesn't seem to mention this, but you can already disable popups for notifications in Firefox.

1. Go to Preferences, Privacy & Security

2. Scroll to Permissions > Notifications, click Settings...

3. At the bottom of the dialog window, check Block new requests asking to allow notifications

The permissions already granted will still work.

>> Most prompts are dismissed, while almost 19% of prompts caused users to leave the site immediately after being confronted with them.

Finally! Some numbers from a respectable source showing that most pop-us are bad for user engagement.

god forbid you leave firefox set to never remember history, you don't get the option to block sites forever. So every time you hit a reddit link it will gleefully present you with a prompt about notification permissions.

Wow thank you for pointing that out. I have always set my browsers to never remember history, if I want to remember it, I will use a bookmark. Consequently Reddit mobile will totally spam me, making it even more unusable than before.

Alternatively you can workaround the issue by telling firefox to delete history on close. This will allow you to block notifications per-session.

It seems to have gotten much worse on reddit lately. I would not be surprised if that is what pushed them to start to do something about it.

You could use this extension to always redirect to old reddit, which doesn't have any notification shenanigans.


Firefox has a "Block new requests asking to allow notifications" checkbox in the Notifications settings under Privacy. This can be done for all prompts and will permanently disable all prompts unless you whitelist a website, essentially.

That's not entirely true. Remembering history is also different from remembering permissions. Firefox should persist those independently from actual URLs in browsing history.

And there's a button in settings where you can disable permission prompts for notifications globally.

> That's not entirely true. Remembering history is also different from remembering permissions.

Explain how it isn't true. I described a behavior with Firefox that's problematic and caused by 'automatic private browsing', which is what you get when you set 'never remember history'. When this is done it does not track state separately as you say.

Related: https://support.mozilla.org/en-US/questions/1140700

Also, for more fun and unexpected behavior with that mode: https://bugzilla.mozilla.org/show_bug.cgi?id=513421

I feel like Solution 1 is pretty close to what I see as the "solution".

I think for commonly requested permissions that are not commonly accepted, they should just use a smaller, more discreet icon for notifying the user; one that doesn't hang down over the chrome and block/cover up the site. That way, it can be easily ignored.

It should be more obvious than the one they're using in that solution. Maybe something equivalent to an icon next to the refresh button or something. The text icon they had in #1 was probably /too/ easy to ignore.

As someone with "not-so-tech-savvy" users on my website, this is bound to get ignored a lot. I have seen screenshots of my users (when they need support) and they dont even click "Okay" on the Cookie bar (to accept cookies and stuff) and / or any notification on the website (Not the Push Notification).

Is there a reason you have a cookie bar? The idea of a 'click ok' bar should be dead since GDPR adjusted the law. If it's not for tracking then you don't need a bar. If it is for tracking then whenever possible the site should work without opting in.

“Reduced” should be “zero”. Prompts are fundamentally broken; they replace simple interactions with “STOP, answer this question NOW!” scenarios. A sensible solution would be: automatically deny by default because sites don’t really need to be asking up front! They can either give you another way (e.g. button/field) or they don’t have business querying this in the first place.

Simple example: On one site I used to just type in my zip code (easy but explicit transfer of information) and it immediately zoomed a map to my specified area. Then one day they changed it to magical location tracking; now, before I can even enter the stupid zip code (still an option and all I ever want), I get a “STOP! Share location!?!?” kind of interaction first. I have to find it, close it, then enter a zip. I had the zip code in my head and would be able to type it in a second with no delay but instead, I am distracted. Or maybe I was copying and pasting. Everything about immediate form access was efficient.

All prompts have this problem. The potential for a prompt out of the blue makes direct actions slower, and any other case where a prompt might appear is going to be an undesirable interruption telling you about things you didn’t want happening anyway. User agents should be saying No to unreasonable requests for me, like a good manager.

The difference is that the ZIP code doesn't tell them the exact house in which you live.

Good to see, I outright disabled them. Its pretty rare when I would ever want something like this.

I don't want to receive notifications from any site nor grant any permissions to any website ever. Perhaps some people want to grant permissions and to receive notifications from some websites but it seems obvious that will always be about just a small selection of favourite websites. So I doubt it even is reasonable to pop anything up, just make subscribe/allow buttons easy to find yet waiting for the user passively.

If I want to be bothered at random I'll install the app. This functionality should never have been bundled into a web browser.

It still boggles my mind how over engineered that prompt is in Firefox [1]. And glad to see that the new prompt follows Safari’s simple “Allow / Disallow”.

[1] Of course I got into a shouting match on Twitter about it some time back: https://twitter.com/dmitriid/status/920293887746433024 and https://twitter.com/dmitriid/status/920373234104700931

I honestly think a patch is a more productive way to deal with this if you're a developer who wants to see the functionality.

What if I'm a developer who has no idea how Firefox UI works?

Notifications are the new popups, just add an option to disable them completely.

Making the "Never Allow" button directly accessible is a big win.

The notification prompt should be a good lesson in feature creep for browser vendors. Pretty much applies to all "engagement" features: If you build it, it will be abused.

I wonder how many of the currently-accepted prompts are already in response to user interaction. If it's most of them, then the first option would still be reasonable.

Good. The whole notifications thing is BS as it’s used on most of the web and is actively exploited and there’s no “don’t show this again” prompt to be found anywhere. The only sites that do it gracefully show a cookie-consent-like floating div that pops the prompt up if you accept it. I have honestly been looking into completely disabling the whole thing but despite Safari being quite good usually, there is no option to do that anywhere to my knowledge.

I think there should be a difference between sites which the user is merely browsing, and sites which a user is actively using. The former shouldn't be able to show popups, while the latter may. Moving a website from "browsing" to "using" state could be done with a (small) button in the top bar. It's in a sense like "installing" an app.

The UX pattern that should be observed is preflighting -- ask the user if they want notifications from within the webpage (if appropriate, obviously) and let them know it'll prompt a browser dialog. If they say yes, you're good to go. It's an extra step that significantly improves both conversion and experience, often used in mobile.

Global setting: “I will never choose to receive notifications from a website.” Linked directly from that popop.


Chrome already does this right with language translation: “do you want to translate this website?” “No”/“Never translate this site”/“Never translate French”

Do that with notifications And well never need to see that prompt again.

It's completely rude to send a browser notification prompt without prior warning. The solution to this is html notification prompts that only trigger the browser notification prompt when the user clicks on them. They aren't as intrusive. That's what I use on my wordpress site.

what I would dearly like to have is a way to disable the Firefox update notification that pops up every day

While we're at it, some sort of "always opt in or opt out of cookies" standard would be very nice. I'm really tired of sites asking for permission. Forcing companies to ask to use cookies was a mistake, cookies on/off should have been a browser feature first.

It was ... it just wasn't really exposed except as "arcane configuration that 99.9% of users would never even know was there". This is why we, as an industry need to be proactive in putting the user first in decisions like this, because if we don't, it will get abused, and then that's when the regulation comes (and rightly so).

Tracking is the reality, cookies are merely one form of it and disabling them does basically nothing. "Regulator mandated popup" is the worst possible outcome.

If a website presents a pop up to me asking if I want notifications, I click yes then I click block when the browser dialogue appears. No more notification pop ups on that site.

I realize I can categorically block all notification permissions, but there are some sites where I want to allow them.

Is there a plugin or setting to auto reject these in firefox and/or chrome? Notifications are something I will never want from a website, and most of the time its as annoying as a popup. No, random news site for somewhere I don't live, I would not like your notifications.

These notifications can in a way act as a sort of adware. I had family friends who complained of pop ups on their laptop advertising dodgy products. Turned out they'd accidentally dismissed one of these with an OK and was being spammed in the desktop environment via Chrome.

IMO, it makes more sense to require that the permission prompt is tied to a button instead of directly triggered by a script.

IE, the only way to display the permission prompt is to put a button on the page, and then the permission prompt is only shown when the user clicks the button.

These are super annoying in Safari, too. Apple needs to take note and follow Firefox’s lead here.

You can completely disable them for all websites, and allow notifications for some websites.

I disabled them and never see them anymore.

I disabled the allow push notifications checkbox in Safari, but still get prompted with the native Safari modal. I'm not sure how this is done, and it's infrequent, but I'm guessing Safari left a hole in their notifications web API that is being exploited.

Safari's implementation could also be improved. The modal forces you to chose without the ability to cancel, and saves the website into your preferences, even if you just want to immediately close the tab.

First thing I do on a new Firefox install (among other things) is disable all new requests for Alerts. I've never wanted a website to send me alerts, and I've never met anyone who wanted them. Who is the audience for this?

> User interaction is a popular measure because it is often seen as a proxy for user consent and engagement with the website.

“This site uses COOKIES! Click here to brush off this interruption and be presented with the page proper.”

Those omnipresent dialogs are a cancer on the web. It was the worst idea ever.

I actually can't believe the browser vendors made basically the same mistake as the obnoxious JS "alert()"

I would be happier if Firefox dropped the prompts "feature" completely. Just ignore it. Less code, less dependencies, and less hassle for everyone involved.

And you can't think of any valid use-case for notifications for anyone? Bearing in mind that we are talking about a huge range of potential apps that now run in the browser?

How about communication apps? Or reminder apps?

Make the 10 users who need those install a plugin.

I'm still surprised µblock doesnt have a list for this.

The name notification permission is misleading. Because what it actually does is run any code from websites you aren't even visiting currently.

Nice to see Mozilla doing something against this. I've found those unsolicited notifications to be annoying in 95% of the cases.

OK, changing tools is painful, but I think they're gonna actually get me to switch to firefox.

It took me a bit to adjust from Chrome, but I haven't looked back.

Any advice to a potential switcher from Chrome? Anything you did to make FF more Chrome-like in any ways or whatever?

As a web dev, I'm scared of having to learn the new dev tools (I'm gonna use the same primary browser for web dev as for everyday, realistically). Do you use the dev tools, did you find it easy to switch there?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact