Does Chrome need to change it’s mic/camera permission UX?

I’m a little worried about webcam and mic access in browsers at least as currently implemented. (and native apps too I suppose but less so)

As it is, in Chrome, if you let a webpage access your camera (or mic) that page’s domain gets permanent permission to access the camera or mic whenever it wants forever, no questions asked again.

I recently visited one of the early HTML5 Webcam demos that I hadn’t visited in years. I expected to get asked for permission to access the camera. Instead the camera just came on. That does not seem like a good model for web sites that are covered in ads and scripts from all over the net.

I’m sure the Chromium team was thinking of supporting hangouts when designing webcam support and I might be convinced that if hangouts always had access to the camera that might be no worse than a native app. But, it’s the browser it’s not a native app, it’s untrusted code.

Even for communications sites though if I run them in an iframe they get camera permission. In other words, say yes just once and now that domain can follow you all over the net and use your camera and mic, at least as of Chrome 59. Did you ever use your mic on facebook.com to make a call? Well now any page that has facebook social embeds can now use your mic without asking.

I don’t know what the best permission UX is. Always asking might might be tedious for actual communication websites (messenger, hangouts, slack?, …) but not asking sucks for the open web. It even sucks on a communications website if the camera or mic is not something I use often. I don’t want any app to have permission to spy on me. Imagine slack.com, imagine you use it to do a video call just once, then not again for 6 months even though you’re text chatting constantly. During that entire time, at any time slack could have been accessing your mic or you camera. I personally want to opt-in to always ask. I think I’d prefer this even in native apps but especially for the web. The UX doesn’t have to suck. Clicking “call” and having the browser say “this app wants to access your mic, Y/N” doesn’t seem like a burden.

Here’s a demo of the issue.

At a minimum it seems like iframes should not get automatic permission even if that domain had permission before. Otherwise some ad company will make a compelling camera demo just to get you to say yes once to using the camera on their domain. Once they do all their ads all over the net can start spying on you or using the mic to track you.

Even then though there are plenty of sites that allow users to post JavaScript, give access to one user’s page and all users’ pages get access. So nice person makes camera demo, bad person takes advantage that that domain now has access to your mic or camera.

I filed a bug on this about 5 months ago but no word yet. If you think this is an important issue consider starring the bug. Until then, if this concerns you go to chrome://settings/content/camera in Chrome and remove all the sites you’ve enabled the camera for. Do the same for the microphone by going to chrome://settings/content/microphone.

If you use a site that needs access to the camera or the mic, once you’ve given it permission to use the camera or the mic a small icon will appear in the URL bar. When you’re done with the site you can click that icon to remove permission. That’s tedious and you’re likely to forget but it’s better than nothing for now.