Categories: Uncategorized

Reducing Notification Permission Prompt Spam in Firefox

Permission prompts are a common sight on the web today. They allow websites to prompt for access to powerful features when needed, giving users granular and contextual choice about what to allow. The permission model has allowed browsers to ship features that would have presented risks to privacy and security otherwise.

However, over the last few years the ecosystem has seen a rise in unsolicited, out-of-context permission prompts being put in front of users, particularly ones that ask for permission to send push notifications.

In the interest of protecting our users and the web platform from this, we plan to experiment with restricting how and when websites can ask for notification permissions.

Rationalizing Push Notification Permission Spam

Push notifications are a powerful capability that enables new kinds of interactions with sites. It is hard to imagine a modern chat or social networking app that doesn’t send notifications. Since notifications can be sent after you leave a site, it is only natural that a site would need to ask for permission to show them.

A Notification Permission Prompt

Looks familiar?

But anecdotal evidence tells us that there is an issue with notification permission prompts among our user base. As we browse the web, we regularly encounter these prompts and more often than not we become annoyed at them or don’t understand the intent of the website requesting the permission.

According to our telemetry data, the notifications prompt is by far the most frequently shown permission prompt, with about 18 million prompts shown on Firefox Beta in the month from Dec 25 2018 to Jan 24 2019. Not even 3% of these prompts got accepted by users. Most prompts are dismissed, while almost 19% of prompts caused users to leave the site immediately after being confronted with them. This is in stark contrast to the camera/microphone prompt, which has an acceptance rate of about 85%!

This leads us to believe that

  1. There are websites that show the notification prompt without the intent of using it to enhance the user experience, or that fail to convey this UX enhancement when prompting.
  2. There are websites that prompt for notification permission “too early”, without giving users enough context or time to decide if they want them, even if push notifications would significantly enhance the user experience on that site.

Last year Firefox introduced a new setting that allows users to entirely opt out of receiving new push notification permission prompts. This feature was well received, among users that discovered it and understood the implications. But we still fail to protect the large part of our users that do not explore their notification settings or don’t want to enforce such drastic measures. Thus, we are starting to explore other methods of preventing “permission spam” with two new experiments.

Experiment 1: Requiring User Interaction for Notification Permission Prompts in Nightly 68

A frequently discussed mitigation for this problem is requiring a user gesture, like a click or a keystroke, to trigger the code that requests permission. User interaction is a popular measure because it is often seen as a proxy for user consent and engagement with the website.

Firefox Telemetry from pre-release channels shows that very few websites request push notifications from a user gesture, indicating that this may be too drastic of a measure.

We suspect that these numbers might not paint a full picture of the resulting user experience, and we would like to get a real world impression of how requiring user interaction for notification permission prompts affects sites in the wild.

Hence, we will temporarily deny requests for permission to use Notifications unless they follow a click or keystroke in Firefox Nightly from April 1st to April 29th.

In the first two weeks of this experiment, Firefox will not show any user-facing notifications when the restriction is applied to a website. In the last two weeks of this experiment, Firefox will show an animated icon in the address bar (where our notification prompt normally would appear) when this restriction is applied. If the user clicks on the icon, they will be presented with the prompt at that time.

Prototype of new prompt without user interaction

Prototype of new prompt without user interaction

During this time, we ask our Nightly audience to watch out for any sites that might want to show notifications, but are unable to do so. In such a case, you can file a new bug on Bugzilla, blocking bug 1536413.

Experiment 2: Collecting Interaction and Environment Data around Permission Prompts from Release Users

We suspect that requiring user interaction is not a perfect solution to this problem. To get to a better approach, we need to find out more about how our release user population interacts with permission prompts.

Hence, we are planning to launch a short-running experiment in Firefox Release 67 to gather information about the circumstances in which users interact with permission prompts. Have they been on the site for a long time? Have they rejected a lot of permission prompts before? The goal is to collect a set of possible heuristics for future permission prompt restrictions.

At Mozilla, this sort of data collection on a release channel is an exception to the rule, and requires strict data review. The experiment will run for a limited time, with a small percentage of our release user population.

Implications on Developers and User Experience

Web developers should anticipate that Firefox and other browsers may in the future decide to reject a website’s permission request based on automatically determined heuristics.

When such an automatic rejection happens, users may be able to revert this decision retroactively. The Permissions API offers an opportunity to monitor changes in permission state to handle this case.

As a general principle, prompting for permissions should be done based on user interaction. Offering your users additional context, and delaying the prompt until the user chooses to show it, will not only future-proof your site, but likely also increase your user engagement and prompt acceptance rates.

 

10 comments on “Reducing Notification Permission Prompt Spam in Firefox”

Post a comment

  1. Eric wrote on

    Awesome news, I deeply hate all those notifications prompts.

    Next one: remove all the annoying modal windows that are used everywhere nowadays to sign up on newsletter or similar crappy requests. Pleeeeease

    Reply

    1. Konrad wrote on

      Eric, there’s an extension for removing modals: https://addons.mozilla.org/en-US/firefox/addon/behind_the_overlay/

      It doesn’t hide automatically, but once clicked, will close all “accept cookies”, “accept gdpr consent”, “subscribe to newsletter”, “like us on facebook to see the content” etc at the same time.

      Reply

  2. Des wrote on

    Agreed on the modal windows.

    When I complain to such sites I have to visit regularly, they have the cheek to tell me this is MY FAULT for not keeping their cookies, which would make such forms appear only once, on first visit.

    Reply

  3. Flavio wrote on

    God i hate those push notifications request. They are mostly used to send you spam and i would NEVER want to accept them. At least i believe we do need a settings to disable those popup. Let us enable them by clicking on the little icon if we really need them.

    Reply

  4. Johan Baaij wrote on

    Article sites seem to have these notification prompts. More often than not I take them as a cue that the article I clicked on is probably not worth my time. I wonder if that’s what most of that 19% of users think when they immediately leave.

    Sort of related: what about those fake prompts?! The ones that try to imitate the browser UI. Surely also a problem, but perhaps out of scope for Firefox developers?

    Reply

  5. v t x f m wrote on

    Honestly I think 97% of people would be totally fine with removing notifications from a general web browser altogether. Nearly any site with notifications people actually use has its own specialized standalone app that is virtually always used on a mobile device (gmail and social cancer like facebook) so people aren’t really going to miss out on those. It seems like blatant feature disease, and that’s not Mozilla’s fault but still–these are overreaches of the expected confines of a general browser. “Experience” and other euphemisms be damned, you gotta draw the line somewhere.

    Or maybe I’m just terribly old-fashioned. Does anyone have reliable stats on how many people truly use desktop notifications? All of my respect towards firefox comes from their dedication to user control and privacy, but as the updates march on I’m required to dive into about:config for more and more settings. Maybe I’m just getting more paranoid, but the paranoid are a demographic too eh? Would love to see a setting in the regular options to deny all permission requests. Maybe a whitelist for people who wanna get facebook off their phone (smart move) but are still too addicted to scorch the earth and block them on the router level. This might be add-on territory, but dang I got a whole squadron of those already.

    Reply

    1. J Redhead wrote on

      Personally I allow notifications for an obscure threaded chat site i hang out on which only requests the permission if you set notifications. though it’s the kind where you have to be on the site to receive them, not the kind that pop up even if the site is closed. hmm. what’s the difference in naming? anyway, that and Discord.

      As for “native apps”, I refuse to download them because:
      1. fewer things on the taskbar open
      2. most such apps are just chromium/electron apps and i rather like having ram left
      3. (most important) In a web browser, I am ultimately still in control, with stuff like ad/tracker blocking, userstyles and userscripts, etc

      Reply

    2. qwer wrote on

      If you don’t want websites to ask you to allow notifications, but you do want websites to keep sending you notifications if you already allowed it, there’s a setting for that.

      1) Open the “Privacy & Security” sidebar at the options screen (about:preferences#privacy).
      2) Scroll down to the “Permissions” section.
      3) Click the 4th “Settings” button, the one to the right of the “Notifications” permission.
      4) Check the box that says “Block new requests asking to allow notifications”. You can also see and manage the whitelist there.

      Reply

  6. frans dijkstra wrote on

    thanks so much! I hate those. This is why I use firefox – thanks again.

    Reply

  7. Klaus Donnert wrote on

    I got a push notification on the first visit to a site behind a paywall.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *