I'm not all that happy with second chance options in the first place... but a dedicated element with browser-level protections on making sure it's clear clicking that particular element is going to second chance the permission prompt is at least much less likely to get abused.
> protections on making sure it's clear clicking that particular element is going to second chance the permission prompt is at least much less likely to get abused.
I guess I really don't understand the abuse they're trying to guard against. The protections are like "the button isn't transparent and there's a 3:1 contrast ratio, because click jacking." Alright, so I will just make the button say 'click to view content' or 'click for free bitcoins' or really anything at all and people will happily press it.
And when they do they'll get the same permission dialog they would have if I had been allowed to make the button invisible anyway.
I understand the use case for the second chancing. I think it's really crazy to make it require this special HTML (!?) element that you can only have up to 3 of on your page at a time (because we all know as soon as you hit 4 of these buttons it means you're up to no good).
If it were me I would have allowed second chancing via JS API, only if initiated by user action (we have that pattern already for events), and with exponential back off between retries.
If they were really dead set on this whole concept of secure enclave essential oils elements, they had a decent idea with the `<permission>` element that they mentioned in the article - but then we decided to throw that out, but don't worry, specific `<camera>` and `<microphone>` elements are coming soon.
right now sites cant retry prompts because they could just spam annoying permission dialogs in a loop until the user hits allow. thats a problem for legit sites because you have to manually go and grant the permnission from site settings if you change your mind. it adds friction you cant avoid with a script based design.
with a special element dialogs can only show once for every user action. even if the site uses "click to get bitcoin" style misleading prompts users will notice and not click on that button again. none of this is about security in a strict sense, just better ux on both good and bad sites.
I guess I really don't understand the abuse they're trying to guard against. The protections are like "the button isn't transparent and there's a 3:1 contrast ratio, because click jacking." Alright, so I will just make the button say 'click to view content' or 'click for free bitcoins' or really anything at all and people will happily press it.
And when they do they'll get the same permission dialog they would have if I had been allowed to make the button invisible anyway.
I understand the use case for the second chancing. I think it's really crazy to make it require this special HTML (!?) element that you can only have up to 3 of on your page at a time (because we all know as soon as you hit 4 of these buttons it means you're up to no good).
If it were me I would have allowed second chancing via JS API, only if initiated by user action (we have that pattern already for events), and with exponential back off between retries.
If they were really dead set on this whole concept of secure enclave essential oils elements, they had a decent idea with the `<permission>` element that they mentioned in the article - but then we decided to throw that out, but don't worry, specific `<camera>` and `<microphone>` elements are coming soon.
I'm probably getting too old for this...
with a special element dialogs can only show once for every user action. even if the site uses "click to get bitcoin" style misleading prompts users will notice and not click on that button again. none of this is about security in a strict sense, just better ux on both good and bad sites.