index.bs

<pre class='metadata'>
Title: Permissions
Repository: w3c/permissions
Status: ED
ED: https://w3c.github.io/permissions/
TR: https://www.w3.org/TR/permissions/
Shortname: permissions
Level: 1
Group: webappsec
Editor: Mounir Lamouri, w3cid 45389, Google Inc. https://google.com/
Editor: Marcos Cáceres, w3cid 39125, Mozilla https://mozilla.com/
Editor: Jeffrey Yasskin, w3cid 72192, Google Inc. https://google.com/
Previous Version: https://www.w3.org/TR/2015/WD-permissions-20150407/

Abstract: The <cite>Permissions Standard</cite> defines common infrastructure for other specifications that need to interact with browser permissions. It also defines an API to allow web applications to query and request changes to the status of a given permission.
Mailing List: public-webappsec@w3.org
Mailing List Archives: http://lists.w3.org/Archives/Public/public-webappsec/

!Participate: <a href="https://github.com/w3c/permissions">We are on Github.</a>
!Participate: <a href="https://github.com/w3c/permissions/issues">File a bug.</a>
!Participate: <a href="https://github.com/w3c/permissions/commits/gh-pages">Commit history.</a>
!Implementation status: <a href="https://code.google.com/p/chromium/issues/detail?id=437770">Blink/Chromium</a>
!Implementation status: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1105827">Gecko</a>

Markup Shorthands: css no, markdown yes
</pre>
<pre class="anchors">
spec: ECMAScript; urlPrefix: https://tc39.github.io/ecma262/#
    type: dfn
        text: Realm; url: sec-code-realms
        text: current realm; url: current-realm
    type: interface
        text: TypeError; url: sec-native-error-types-used-in-this-standard-typeerror
spec: mediacapture-main; urlPrefix: https://w3c.github.io/mediacapture-main/#
    type: attribute
        for: MediaDeviceInfo; text: deviceId
    type: method
        for: MediaDevices; text: getUserMedia(); url: dom-mediadevices-getusermedia
</pre>
<pre class="link-defaults">
spec: dom
    type: interface
        text: Document
spec: html
    type: dfn
        text: event handler
        text: event handler event type
        text: in parallel
        text: origin; for: /
        text: queue a task
spec: ui-events
    type: dfn
        text: user agent
spec: webidl
    type: interface
        text: Promise
</pre>

<section class='non-normative'>
  <h2 id="scope-of-this-document">
    Scope of this document
  </h2>
  <p><em>This section is non-normative.</em></p>
  <p>
    This document specifies a model and an API to query and request permissions
    to powerful features on the Web platform. Web APIs have different ways to
    deal with permissions. The [[notifications]] API allows developers to
    request a permission and check the permission status explicitly.
    Others expose the status to web pages when they try to use the API,
    like the [[geolocation-API]] which fails if the permission was not
    granted without allowing the developer to check beforehand.
  </p>
  <p>
    The Permissions API provides tools for developers to control when permission
    prompts are shown and to relinquish permissions that are no longer needed.
  </p>
  <p>
    The solution described in this document is meant to be extensible, but isn't
    meant to be applicable to all the current and future permissions
    available in the web platform. Working Groups that are creating specifications
    whose permission model doesn't fit in the model described in this document
    should contact the editors by
    <a href="https://github.com/w3c/permissions/issues">filing an issue</a>.
  </p>
</section>
<section class='non-normative'>
  <h2 id="privacy-considerations">
    Privacy considerations
  </h2>
  <p><em>This section is non-normative.</em></p>
  <p>
    An adversary could use a <a>permission state</a> as an element in creating a
    "fingerprint" corresponding to an end-user. Although an adversary can
    already determine the state of a permission by actually using the API, that
    often leads to a permission request UI being presented to the end-user (if
    the permission was not already {{"granted"}}). Thus, even though this API
    doesn't expose new fingerprinting information to websites, it makes it
    easier for an adversary to have discreet access to this information. Thus,
    implementations are encouraged to have an option for users to block
    (globally or selectively) the querying of <a>permission states</a>.
  </p>
</section>
<section>
  <h2 id="definitions">Definitions</h2>

  <dl>
    <dt><dfn export>New information about the user's intent</dfn></dt>
    <dd>
      The UA may collect information about a user's intentions in any way its
      authors believe is appropriate. This information can come from explicit
      user action, aggregate behavior of both the relevant user and other users,
      or other sources this specification hasn't anticipated.
    </dd>

    <dt><dfn export local-lt="feature">Powerful feature</dfn></dt>
    <dd>
      A feature of a UA that some code might not be allowed to access, for
      example because its <a>environment settings object</a> doesn't satisfy
      some criteria, or because the user hasn't given permission.
    </dd>
  </dl>
</section>
<section>
  <h2 id="permission-descriptor">
    Descriptions of permission requests
  </h2>
  <pre class='idl' title=''>
    dictionary PermissionDescriptor {
      required PermissionName name;
    };
  </pre>
  <p>
    Each <a>powerful feature</a> has one or more <dfn>aspects</dfn> that
    websites can request permission to access. To describe these aspects,
    each feature defines a subtype of {{PermissionDescriptor}} to be its
    <a>permission descriptor type</a>.
  </p>
  <div class="example" id="example-descriptors">
    <p>
      The {{"midi"}} <a>feature</a> has two <a>aspects</a>: access to normal messages, and
      access to system exclusive messages. Thus, its <a>permission descriptor type</a>
      is:
    </p>
    <pre>
      dictionary MidiPermissionDescriptor : PermissionDescriptor {
        boolean sysex = false;
      };
    </pre>
    <p>
      The {{"bluetooth"}} feature lets sites request to access whatever
      Bluetooth devices are close to to the user's device. Thus, its
      <a>permission descriptor type</a> is:
    </p>
    <pre>
      dictionary BluetoothPermissionDescriptor : PermissionDescriptor {
        DOMString deviceId;
        sequence&lt;<a idl>BluetoothLEScanFilterInit</a>> filters;
        sequence&lt;<a idl>BluetoothServiceUUID</a>> optionalServices = [];
        boolean acceptAllDevices = false;
      };
    </pre>
    <p>
      General access to Bluetooth devices is represented by `{name:
      'bluetooth'}`; access to a particular device is represented by `{name:
      'bluetooth', deviceId: "id"}`; and access to a device with a particular
      service is represented by `{name: 'bluetooth', filters: [{services:
      ['service']}]}`
    </p>
  </div>
</section>
<section>
  <h2 id="permission-operations">Permission states</h2>
  <p>
    The user agent is responsible for tracking what <a>powerful features</a>
    each <a>realm</a> has the user's permission to use. Other specifications can
    use the operations defined in this section to retrieve the UA's notion of
    what permissions are granted or denied, and to ask the user to grant or deny
    more permissions.
  </p>

  <p>
    Other specifications can also add more constraints on the UA's behavior in
    these algorithms.
  </p>

  <p>
    Within this section, |descriptor| is an instance of the <a>permission
    descriptor type</a> of the <a>powerful feature</a> named by
    <code>|descriptor|.{{PermissionDescriptor/name}}</code>.
  </p>

  <section>
    <h3 id="reading-current-states">Reading the current permission state</h3>
    <div algorithm>
      <p>
        A |descriptor|'s <dfn export local-lt="state">permission state</dfn> for
        an optional <a>environment settings object</a> |settings| is
        the result of the following algorithm, which returns one of
        {{"granted"}}, {{"prompt"}}, or {{"denied"}}:
      </p>
      <ol class="algorithm">
        <li>
          If |settings| wasn't passed, set it to the <a>current settings object</a>.
        </li>
        <li>
          If |settings| is a <a>non-secure context</a>
          and <code>|descriptor|.{{PermissionDescriptor/name}}</code> isn't
          <a>allowed in non-secure contexts</a>, then return {{"denied"}}.
        </li>
        <li>
          If there was a previous invocation of this algorithm with the same
          |descriptor| and |settings|, returning
          |previousResult|, and the UA has not received <a>new information about
          the user's intent</a> since that invocation, return |previousResult|.
        </li>
        <li>
          Return whichever of the following options most accurately reflects the user's
          intent for the calling algorithm, taking into account any
          <a>permission state constraints</a> for
          <code>|descriptor|.{{PermissionDescriptor/name}}</code>:
          <dl class="switch">
            <dt>succeed without prompting the user</dt>
            <dd>{{"granted"}}</dd>

            <dt>show the user a prompt to decide whether to succeed</dt>
            <dd>{{"prompt"}}</dd>

            <dt>fail without prompting the user</dt>
            <dd>{{"denied"}}</dd>
          </dl>
        </li>
      </ol>

      <p class="issue" id="issue-current-entry-incumbent-or-relevant">
        Safari is the only known UA that returns different results from this
        algorithm for different settings objects with the same origin. We should
        test which of the <a
        href="https://html.spec.whatwg.org/multipage/webappapis.html#realms-settings-objects-global-objects">several
        possible settings objects</a> it uses.
      </p>

      <p>
        As a shorthand, a {{PermissionName}} |name|'s <a>permission state</a> is
        the <a>permission state</a> of a {{PermissionDescriptor}} with its
        {{PermissionDescriptor/name}} member set to |name|.
      </p>
    </div>

    <div algorithm>
      <p>
        Some <a>powerful features</a> have more information associated with them
        than just a {{PermissionState}}. For example,
        {{MediaDevices/getUserMedia()}} needs to determine <em>which</em> cameras
        the user has granted the <a>current realm</a> permission to access. Each
        of these features defines an <a>extra permission data type</a>. If a
        {{PermissionName}} |name| names one of these features, then |name|'s
        <dfn export>extra permission data</dfn> for an optional <a>environment
        settings object</a> |settings| is the result of the following algorithm:
      </p>
      <ol class="algorithm">
        <li>
          If |settings| wasn't passed, set it to the <a>current settings object</a>.
        </li>
        <li>
          If there was a previous invocation of this algorithm with the same
          |name| and |settings|, returning
          |previousResult|, and the UA has not received <a>new information about
          the user's intent</a> since that invocation, return |previousResult|.
        </li>
        <li>
          Return the instance of |name|'s <a>extra permission data type</a> that
          matches the UA's impression of the user's intent, taking into account
          any <a>extra permission data constraints</a> for |name|.
        </li>
      </ol>
    </div>
  </section>
  <section>
    <h3 id="requesting-more-permission">Requesting more permission</h3>

    <p class="note">
      Spec authors, please note that algorithms in this section can wait for
      user input; so they shouldn't be used from other algorithms running on
      the main thread.
    </p>

    <div algorithm="request-permission-to-use">
      <p>
        To <dfn lt="request permission to use|requesting permission to use"
                export>request permission to use</dfn> a |descriptor|, the UA
        must perform the following steps. This algorithm returns either
        {{"granted"}} or {{"denied"}}.
      </p>
      <ol>
        <li>
          Let <var>current state</var> be the |descriptor|'s <a>permission
          state</a>.
        </li>
        <li>
          If <var>current state</var> is not {{"prompt"}}, return
          <var>current state</var> and abort these steps.
        </li>
        <li>
          Ask the user's permission for the calling algorithm to use the
          <a>powerful feature</a> described by |descriptor|.
        </li>
        <li>
          If the user grants permission, return {{"granted"}}; otherwise return
          {{"denied"}}. The user's interaction may provide <a>new information
          about the user's intent</a> for this <a>realm</a> and other
          <a>realms</a> with the <a>same origin</a>.

          <p class="note">
            This is intentionally vague about the details of the permission UI
            and how the UA infers user intent. UAs should be able to explore
            lots of UI within this framework.
          </p>
        </li>
      </ol>

      <p>
        As a shorthand, <a>requesting permission to use</a> a {{PermissionName}}
        |name|, is the same as <a>requesting permission to use</a> a
        {{PermissionDescriptor}} with its {{PermissionDescriptor/name}} member
        set to |name|.
      </p>
    </div>

    <div algorithm="prompt-user-to-choose">
      <p>
        To <dfn lt="prompt the user to choose|prompting the user to choose"
                export>prompt the user to choose</dfn> one of several |options|
        associated with a |descriptor|, the UA must perform the following steps.
        This algorithm returns either {{"denied"}} or one of the options.
      </p>
      <ol>
        <li>
          If |descriptor|'s <a>permission state</a> is {{"denied"}},
          return {{"denied"}} and abort these steps.
        </li>
        <li>
          If |descriptor|'s <a>permission state</a> is {{"granted"}}, the UA may
          return one of |options| and abort these steps. If the UA returns
          without prompting, then subsequent <a lt="prompt the user to
          choose">prompts for the user to choose</a> from the same set of
          options with the same |descriptor| must return the same option, unless
          the UA receives <a>new information about the user's intent</a>.
        </li>
        <li>
          Ask the user to choose one of the options or deny permission, and wait
          for them to choose. If the calling algorithm specified extra
          information to include in the prompt, include it.
        </li>
        <li>
          If the user chose an option, return it; otherwise return {{"denied"}}.
          If the user's interaction indicates they intend this choice to apply
          to other realms, then treat this this as <a>new information about
          the user's intent</a> for other <a>realms</a> with the <a>same
          origin</a>.

          <p class="note">
            This is intentionally vague about the details of the permission UI
            and how the UA infers user intent. UAs should be able to explore
            lots of UI within this framework.
          </p>
        </li>
      </ol>

      <p>
        As a shorthand, <a>prompting the user to choose</a> from options
        associated with a {{PermissionName}} |name|, is the same as <a>prompting
        the user to choose</a> from those options associated with a
        {{PermissionDescriptor}} with its {{PermissionDescriptor/name}} member
        set to |name|.
      </p>
    </div>
  </section>
  <section>
    <h3 id="reacting-to-revocation">Reacting to users revoking permission</h3>

    <p>
      When the UA learns that the user no longer intends to grant permission
      for a <a>realm</a> to use a <a>feature</a>, it must <a>queue a task</a>
      on the Realm's <a for="Realm">settings object</a>'s <a>responsible event
      loop</a> to run that feature's <a>permission revocation algorithm</a>.
    </p>
  </section>
</section>

<section>
  <h2 id="status-of-a-permission">
    Status of a permission
  </h2>
  <pre class='idl'>
    enum PermissionState {
      "granted",
      "denied",
      "prompt",
    };
  </pre>
  <p>
    The <dfn for="PermissionState" enum-value>"granted"</dfn> state represents
    that the caller will be able
    to successfuly access the feature without having the <a>user agent</a>
    asking the user's permission.
  </p>
  <p>
    The <dfn for="PermissionState" enum-value>"denied"</dfn> state represents
    that the caller will not be
    able to access the feature.
  </p>
  <p>
    The <dfn for="PermissionState" enum-value>"prompt"</dfn> state represents
    that the <a>user agent</a>
    will be asking the user's permission if the caller tries to access the
    feature. The user might grant, deny or dismiss the request.
  </p>
  <pre class='idl'>
    [Exposed=(Window,Worker)]
    interface PermissionStatus : EventTarget {
      readonly attribute PermissionState state;
      attribute EventHandler onchange;
    };
  </pre>
  <p>
    {{PermissionStatus}} instances are created with a <dfn
    for="PermissionStatus" attribute>\[[query]]</dfn> internal slot, which is an
    instance of a feature's <a>permission descriptor type</a>.
  </p>

  <p>
    To <dfn>create a PermissionStatus</dfn> for a given {{PermissionDescriptor}}
    |permissionDesc|, return a new instance of the <a>permission result
    type</a> for the feature named by <code>|permissionDesc|.{{name}}</code>,
    with the {{PermissionStatus/[[query]]}} internal slot initialized to
    |permissionDesc|.
  </p>
  <p>
    The <dfn for="PermissionStatus" attribute>state</dfn>
    attribute MUST return the latest value that was set on the current
    instance.
  </p>
  <p>
    The <dfn for="PermissionStatus" attribute>onchange</dfn> attribute is an
    <a>event handler</a> whose corresponding <a>event handler event
    type</a> is <code>change</code>.
  </p>
  <p id="PermissionStatus-update">
    Whenever the <a>user agent</a> is aware that the state of a
    {{PermissionStatus}} instance <var>status</var> has changed,
    it MUST asynchronously run the following steps:
  </p>
  <ol>
    <li>
      Run <code><var>status</var>@{{[[query]]}}.{{name}}</code>'s <a>permission
      query algorithm</a>, passing <code><var>status</var>@{{[[query]]}}</code>
      and <var>status</var>.
    </li>
    <li>
      <a>Queue a task</a> on the <dfn>permission task source</dfn> to
      <a>fire an event</a> named <code>change</code> at
      <var>status</var>.
    </li>
  </ol>
</section>
<section>
  <h2 id="navigator-and-workernavigator-extension">
    Navigator and WorkerNavigator extension
  </h2>
  <pre class='idl'>
    [Exposed=(Window)]
    partial interface Navigator {
      readonly attribute Permissions permissions;
    };
  </pre>
  <pre class='idl'>
    [Exposed=(Worker)]
    partial interface WorkerNavigator {
      readonly attribute Permissions permissions;
    };
  </pre>
</section>
<section>
  <h2 id="permissions-interface">
    Permissions interface
  </h2>
  <pre class='idl'>
    [Exposed=(Window,Worker)]
    interface Permissions {
      Promise&lt;PermissionStatus&gt; query(object permissionDesc);

      Promise&lt;PermissionStatus&gt; request(object permissionDesc);

      Promise&lt;PermissionStatus&gt; revoke(object permissionDesc);
    };
  </pre>
  <p>
    When the <dfn for='Permissions' method>query()</dfn> method is invoked,
    the <a>user agent</a> MUST run the following <dfn export>query a
    permission</dfn> algorithm, passing the parameter
    <var>permissionDesc</var>:
  </p>
  <ol>
    <li>Let |rootDesc| be the object |permissionDesc| refers to, <a>converted to
    an IDL value</a> of type {{PermissionDescriptor}}. If this throws an
    exception, return <a>a promise rejected with</a> that exception and abort
    these steps.
    </li>
    <li>Let |typedDescriptor| be the object |permissionDesc| refers to,
    <a>converted to an IDL value</a> of
    <code>|rootDesc|.{{PermissionDescriptor/name}}</code>'s <a>permission
    descriptor type</a>. If this throws an exception, return <a>a promise
    rejected with</a> that exception and abort these steps.
    </li>
    <li>Let <var>promise</var> be a newly-created {{Promise}}.
    </li>
    <li>Return <var>promise</var> and continue the following steps
    asynchronously.
    </li>
    <li>Run the steps to <a>create a PermissionStatus</a> for |typedDescriptor|,
    and let <var>status</var> be the result.
    </li>
    <li>
      Run <code>|status|@{{[[query]]}}.{{name}}</code>'s <a>permission query
      algorithm</a>, passing <code>|status|@{{[[query]]}}</code> and |status|.
    </li>
    <li>Resolve <var>promise</var> with <var>status</var>.
    </li>
  </ol>
  <div class='note'>
    If a developer wants to check multiple permissions at once, the editors
    recommend the use of <code>{{Promise}}.all()</code>. An example can be
    found in the <a href='#examples'>Examples section</a>.
  </div>

  <p>
    When the <dfn for='Permissions' method>request()</dfn> method is invoked,
    the <a>user agent</a> MUST run the following algorithm, passing the
    parameter <var>permissionDesc</var>:
  </p>
  <ol class="algorithm">
    <li>Let |rootDesc| be the object |permissionDesc| refers to, <a>converted to
    an IDL value</a> of type {{PermissionDescriptor}}. If this throws an
    exception, return <a>a promise rejected with</a> that exception and abort
    these steps.
    </li>
    <li>Let |typedDescriptor| be the object |permissionDesc| refers to,
    <a>converted to an IDL value</a> of
    <code>|rootDesc|.{{PermissionDescriptor/name}}</code>'s <a>permission
    descriptor type</a>. If this throws an exception, return <a>a promise
    rejected with</a> that exception and abort these steps.
    </li>
    <li>Let <var>promise</var> be a newly-created {{Promise}}.
    </li>
    <li>Return <var>promise</var> and continue the following steps
    asynchronously.
    </li>
    <li>Run the steps to <a>create a PermissionStatus</a> for
    <var>typedDescriptor</var>, and let <var>status</var> be the result.
    </li>
    <li>
      Run the <a>permission request algorithm</a> of the feature named <code>
      |typedDescriptor|.name</code> with <var>typedDescriptor</var> and
      <var>status</var> as arguments.
    </li>
    <li>
      If the previous step threw an exception, <a>reject</a> |promise| with that
      exception.
    </li>
    <li>Otherwise resolve <var>promise</var> with <var>status</var>.
    </li>
  </ol>

  <p>
    When the <dfn for='Permissions' method>revoke(|permissionDesc|)</dfn> method
    is invoked,
    the UA must return <a>a new promise</a> |promise| and run the following
    steps <a>in parallel</a>:
  </p>
  <ol>
    <li>Let |rootDesc| be the object |permissionDesc| refers to, <a>converted to
    an IDL value</a> of type {{PermissionDescriptor}}. If this throws an
    exception, return <a>a promise rejected with</a> that exception and abort
    these steps.
    </li>
    <li>Let |typedDescriptor| be the object |permissionDesc| refers to,
    <a>converted to an IDL value</a> of
    <code>|rootDesc|.{{PermissionDescriptor/name}}</code>'s <a>permission
    descriptor type</a>. If this throws an exception, return <a>a promise
    rejected with</a> that exception and abort these steps.
    </li>
    <li>The UA now has <a lt="new information about the user's intent">new
    information that the user intends</a> to revoke permission to use the
    feature described by |typedDescriptor|.
    </li>
    <li>
      If any tasks run due to <a href="#reacting-to-revocation"></a>, wait for
      them to finish.
    </li>
    <li>
      <a>Resolve</a> |promise| with the result of <code><a idl for="Permissions"
      lt="query()">query(|permissionDesc|)</a></code>.
    </li>
  </ol>
</section>
<section>
  <h2 id="common-permission-algorithms">
    Common permission algorithms
  </h2>
  <p>
    The <dfn export>boolean permission query algorithm</dfn>, given a
    {{PermissionDescriptor}} <var>permissionDesc</var> and a
    {{PermissionStatus}} <var>status</var>, runs the following steps:
  </p>
  <ol class="algorithm">
    <li>
      Set <code><var>status</var>.state</code> to |permissionDesc|'s
      <a>permission state</a>.
    </li>
  </ol>
  <p>
    The <dfn export>boolean permission request algorithm</dfn>, given a
    {{PermissionDescriptor}} <var>permissionDesc</var> and a
    {{PermissionStatus}} <var>status</var>, runs the following steps:
  </p>
  <ol class="algorithm">
    <li>
      Run the <a>boolean permission query algorithm</a> on |permissionDesc| and
      |status|.
    </li>
    <li>
      If <code>|status|.state</code> is not {{"prompt"}}, abort these steps.
    </li>
    <li>
      <a>Request permission to use</a> |permissionDesc|.
    </li>
    <li>
      Run the <a>boolean permission query algorithm</a> again on
      |permissionDesc| and |status|.

      <p class="issue" id="issue-non-persistent-grants">
        On browsers that don't store permissions persistently within an
        <a>environment settings object</a>, this will always return
        {{"prompt"}}, but still show the user an unnecessary prompt. That may
        mean that no permissions should use the <a>boolean permission request
        algorithm</a>, since it can never return an appropriate
        object-capability.
      </p>
    </li>
  </ol>
</section>
<section>
  <h2 id="permission-registry">
    Permission Registry
  </h2>
  <!-- IDL blocks can't link outside the current spec, but these enum-values are
       supposed to be defined in other specs. -->
  <pre class='lang-webidl' link-for="PermissionName">
    enum <dfn enum>PermissionName</dfn> {
      <a enum-value>"geolocation"</a>,
      <a enum-value>"notifications"</a>,
      <a enum-value>"push"</a>,
      <a enum-value>"midi"</a>,
      <a enum-value>"camera"</a>,
      <a enum-value>"microphone"</a>,
      <a enum-value>"speaker"</a>,
      <a enum-value>"device-info"</a>,
      <a enum-value>"background-sync"</a>,
      <a enum-value>"bluetooth"</a>,
      <a enum-value>"persistent-storage"</a>,
    };
  </pre>
  <p>
    Each enumeration value in the {{PermissionName}} enum identifies a
    <a>powerful feature</a>. Each <a>powerful feature</a> has the following
    permission-related flags, algorithms, and types:
  </p>
  <dl>
    <dt>An <dfn export>allowed in non-secure contexts</dfn> flag</dt>
    <dd>
      By default, only <a>secure contexts</a> can use <a>powerful features</a>.
      If this flag is set for a feature, the UA may grant access to it in
      <a>non-secure contexts</a> too.
    </dd>

    <dt>
      A <dfn export>permission descriptor type</dfn>
    </dt>
    <dd>
      <p>
        {{PermissionDescriptor}} or one of its subtypes.
        If unspecified, this defaults to {{PermissionDescriptor}}.
      </p>
      <p>
        The feature can define a <a
        href="https://en.wikipedia.org/wiki/Partially_ordered_set">partial
        order</a> on descriptor instances. If |descriptorA| is <dfn
        for="PermissionDescriptor">stronger than</dfn> |descriptorB|, then if
        |descriptorA|'s <a>permission state</a> is {{"granted"}},
        |descriptorB|'s <a>permission state</a> must also be {{"granted"}}, and
        if |descriptorB|'s <a>permission state</a> is {{"denied"}},
        |descriptorA|'s <a>permission state</a> must also be {{"denied"}}.
      </p>
      <p class="example" id="example-stronger-than">
        <code>{name: {{"midi"}}, sysex: true}</code> ("midi-with-sysex") is
        <a>stronger than</a> <code>{name: {{"midi"}}, sysex: false}</code>
        ("midi-without-sysex"), so if the user denies access to
        midi-without-sysex, the UA must also deny access to midi-with-sysex, and
        similarly if the user grants access to midi-with-sysex, the UA must also
        grant access to midi-without-sysex.
      </p>
    </dd>

    <dt>Optional <dfn export>permission state constraints</dfn></dt>
    <dd>
      Constraints on the values that the UA can return as a descriptor's
      <a>permission state</a>. Defaults to no constraints beyond the user's
      intent.
    </dd>

    <dt>
      An optional <dfn export>extra permission data type</dfn>
    </dt>
    <dd>
      If specified, the <a>extra permission data</a> algorithm is usable for
      this feature.
    </dd>

    <dt>Optional <dfn export>extra permission data constraints</dfn></dt>
    <dd>
      Constraints on the values that the UA can return as a {{PermissionName}}'s
      <a>extra permission data</a>. Defaults to no constraints beyond the user's
      intent.
    </dd>

    <dt>
      A <dfn export>permission result type</dfn>
    </dt>
    <dd>
      {{PermissionStatus}} or one of its subtypes.
      If unspecified, this defaults to {{PermissionStatus}}.
    </dd>
    <dt>
      A <dfn export>permission query algorithm</dfn>
    </dt>
    <dd>
      Takes an instance of the <a>permission descriptor type</a> and a new or
      existing instance of the <a>permission result type</a>, and updates the
      <a>permission result type</a> instance with the query result. Used by
      {{Permissions}}' {{Permissions/query()}} method and the <a
      href="#PermissionStatus-update">PermissionStatus update steps</a>. If
      unspecified, this defaults to the <a>boolean permission query
      algorithm</a>.
    </dd>
    <dt>
      A <dfn export>permission request algorithm</dfn>
    </dt>
    <dd>
      Takes an instance of the <a>permission descriptor type</a> and a
      newly-created instance of the <a>permission result type</a>. Uses the
      algorithms in <a href="#requesting-more-permission"></a> to show the user
      any necessary prompt to try to increase permissions, and updates the
      instance <a>permission result type</a> to match. May throw an exception if
      the request can fail exceptionally. (Merely being denied permission is not
      exceptional.) Used by {{Permissions}}' {{Permissions/request()}} method.
      If unspecified, this defaults to the <a>boolean permission request
      algorithm</a>.
    </dd>
    <dt>
      A <dfn export>permission revocation algorithm</dfn>
    </dt>
    <dd>
      Takes no arguments. Updates any other parts of the implementation that
      need to be kept in sync with changes in the results of <a>permission
      states</a> or <a>extra permission data</a>. Run by {{Permissions}}'
      {{Permissions/revoke()}} method and run when the UA receives <a>new
      information about the user's intent</a>. If unspecified, this defaults to
      doing nothing.
    </dd>
  </dl>
  <p>
    A <dfn export>boolean feature</dfn> is a <a>powerful feature</a> with all
    of the above types and algorithms defaulted.
  </p>
  <section>
    <h3 id="geolocation">
      Geolocation
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"geolocation"</dfn>
      permission is the permission associated with the usage of the
      [[geolocation-API]]. It is a <a>boolean feature</a> and is <a>allowed in
      non-secure contexts</a>.
    </p>
  </section>
  <section>
    <h3 id="notifications">
      Notifications
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"notifications"</dfn>
      permission is the permission associated with the usage of the
      [[notifications]] API. It is a <a>boolean feature</a> and is <a>allowed in
      non-secure contexts</a>.
    </p>
  </section>
  <section>
    <h3 id="push">
      Push
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"push"</dfn>
      permission is the permission associated with the usage of the
      [[push-api]].
    </p>
    <dl>
      <dt>
        <a>permission descriptor type</a>
      </dt>
      <dd>
        <pre class='idl'>
          dictionary PushPermissionDescriptor : PermissionDescriptor {
            boolean userVisibleOnly = false;
          };
        </pre>
        <p>
          `{name: "push", userVisibleOnly: false}` is <a>stronger than</a>
          `{name: "push", userVisibleOnly: true}`.
        </p>
      </dd>
    </dl>
  </section>
  <section>
    <h3 id="midi">
      Midi
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"midi"</dfn>
      permission is the permission associated with the usage of
      [[webmidi]]. {{"midi"}} is <a>allowed in non-secure contexts</a>.
    </p>
    <dl>
      <dt>
        <a>permission descriptor type</a>
      </dt>
      <dd>
        <pre class='idl'>
          dictionary MidiPermissionDescriptor : PermissionDescriptor {
            boolean sysex = false;
          };
        </pre>
        <p>
          `{name: "midi", sysex: true}` is <a>stronger than</a> `{name: "midi",
          sysex: false}`.
        </p>
      </dd>
    </dl>
  </section>
  <section>
    <h3 id="media-devices">
      Media Devices
    </h3>
    <p dfn-for="PermissionName" dfn-type="enum-value">
      The <dfn>"camera"</dfn>, <dfn>"microphone"</dfn> , and
      <dfn>"speaker"</dfn>
      permissions are associated with permission to use media devices as
      specified in [[GETUSERMEDIA]] and [[audio-output]]. {{"speaker"}} is
      <a>allowed in non-secure contexts</a>. {{"camera"}} and {{"microphone"}}
      MAY be <a>allowed in non-secure contexts</a>.
    </p>
    <p>
      If the <a>current global object</a> has an <a>associated `Document`</a>,
      and that {{Document}} is not <a>allowed to use</a> the feature indicated
      by attribute name <{iframe/allowusermedia}>, then the <a>permission
      state</a> of any descriptor with a {{PermissionDescriptor/name}} of
      {{"camera"}} or {{"microphone"}} must be {{"denied"}}.
    </p>
    <dl>
      <dt>
        <a>permission descriptor type</a>
      </dt>
      <dd>
        <pre class='idl'>
          dictionary DevicePermissionDescriptor : PermissionDescriptor {
            DOMString deviceId;
          };
        </pre>
        <p>
          A permission covers access to the device given in the associated
          descriptor.
        </p>
        <p>
          If the descriptor does not have a
          {{DevicePermissionDescriptor/deviceId}}, its semantic is that it
          queries for access to all devices of that class. Thus, if a query for
          the {{"camera"}} permission with no
          {{DevicePermissionDescriptor/deviceId}} returns {{"granted"}}, the
          client knows that there will never be a permission prompt for a
          camera, and if {{"denied"}} is returned, it knows that no getUserMedia
          request for a camera will succeed.
        </p>
        <p>
          If a permission state is present for access to some, but not all,
          cameras, a query without the {{DevicePermissionDescriptor/deviceId}}
          will return {{"prompt"}}.
        </p>
        <p>
          Note that a "granted" permission is no guarantee that getUserMedia
          will succeed. It only guarantees that the user will not be
          prompted for permission. There are many other things (such as
          constraints or the camera being in use) that can cause getUserMedia
          to fail.
        </p>
      </dd>
      <dt>
        <a>extra permission data type</a>
      </dt>
      <dd>
        A list of {{MediaDeviceInfo/deviceId}} values for the devices the user
        has made a non-default decision on access to.
      </dd>
      <dt>
        <a>permission query algorithm</a>
      </dt>
      <dd>
        The permission query algorithm runs the following steps:
        <ol class="algorithm">
        <li>
        If |permissionDesc|.deviceId exists in the <a>extra permission data</a>,
        set <code><var>status</var>.state</code>
        to |permissionDesc|'s <a>permission state</a> and terminate these
        steps.
        </li>
        <li>Let <var>global</var> be a copy of |permissionDesc| with the
        {{DevicePermissionDescriptor/deviceId}} member removed.
        </li>
        <li>
        Set <code><var>status</var>.state</code> to <var>global</var>'s
        <a>permission state</a>.
        </li>
      </dd>
      <dt>
        <a>permission request algorithm</a>
      </dt>
      <dd>
        Run the <a>boolean permission request algorithm</a>
      </dd>
      <dt>
        <a>permission revocation algorithm</a>
      </dt>
      <dd>
        When permission for a device is revoked, the UA MUST run the
        algorithm to stop the track for any other reason than the stop()
        method being invoked for each MediaStreamTrack sourced from that
        device. <!--TODO make a link target in the spec -->
      </dd>
    </dl>
    <p>
      The <dfn for="PermissionName" enum-value>"device-info"</dfn>
      permission controls access to names and capabilities of input and
      output devices.
    </p>
  </section>
  <section>
    <h3 id="background-sync">
      Background Sync
    </h3>
    <p>
      The <dfn for="PermissionName" enum-value>"background-sync"</dfn>
      permission is the permission associated with the usage of
      [[web-background-sync]].
    </p>
  </section>
</section>
<section class='non-normative'>
  <h2 id="examples">
    Examples
  </h2>
  <div class="example" id="example-geolocation">
  <p>
    This example uses the Permissions API to decide whether local news
    should be shown using the Geolocation API or with a button offering to
    add the feature.
  </p>
  <pre class='highlight'>
    navigator.permissions.query({ name: "geolocation" }).then(({ state }) => {
      switch (state) {
        case "granted":
          showLocalNewsWithGeolocation();
          break;
        case "prompt":
          showButtonToEnableLocalNews();
          break;
        default:
          // Don't do anything if the permission was denied.
          break;
      }
    });
  </pre>
  </div>
  <div class="example" id="example-notifications">
  <p>
    This example is using the {{"notifications"}} permission for a
    chat application to show a notification button depending on the
    permission state.
  </p>
  <pre class='highlight'>
    function updateNotificationButton(state) {
      document.getElementById('chat-notification-button')
        .disabled = (state === 'denied');
    }

    navigator.permissions.query({ name: 'notifications' }).then((result) => {
      updateNotificationButton(result.state);
      result.addEventListener('change', () => {
        updateNotificationButton(result.state);
      });
    });
  </pre>
  </div>
  <div class="example" id="example-two-permissions">
  <p>
    This example is checking whether the page has the
    {{"geolocation"}} and the {{"notifications"}} permissions
    using <code>{{Promise}}.all</code>.
  </p>
  <pre class='highlight'>
    Promise.all([
      navigator.permissions.query({ name: "geolocation" }),
      navigator.permissions.query({ name: "notifications" })
    ])
    .then(([{ state: geoState }, { state: notifState }]) => {
      console.log("Geolocation permission state is:", geoState);
      console.log("Notifications permission state is:", notifState);
    });
  </pre>
  </div>
  <div class="example" id="example-deviceId">
  <p>
    This example is checking the permission state of the available cameras.
  </p>
  <pre class='highlight'>
    navigator.mediaDevices
      .enumerateDevices()
      .then(devices => {
        return Promise.all(devices
          // filter on video inputs
          .filter(({ kind }) => kind === "videoinput")
          // map to query object
          .map(({ deviceId }) => ({ name: "camera", deviceId }))
          // map to query promise
          .map(queryObj => navigator.permissions.query(queryObj))
        );
      })
      // log the state or each camera
      .then(results => results.forEach(
        ({ state }, i) => console.log(`Camera ${i}: "${state}"`)
      ))
      .catch(
        err => console.error(err.stack)
      );
  </pre>
  </div>
</section>
<section class='non-normative'>
  <h2 id="acknowledgments" class="no-num">
    Acknowledgments
  </h2>
  <p>
    The editors would like to thank Adrienne Porter Felt, Anne van
    Kesteren, Domenic Denicola, Jake Archibald and Wendy Seltzer for their
    help with the API design and editorial work.
  </p>
</section>