One-Time Permissions in Chrome

Although other browsers already allow time-limited access by default, with the latest release 116 of the Chrome browser, one-time permissions finally come to a huge part of your web app's audience.

How does it work?

Up until now, users were shown a permissions dialog by the browser when a web app needs access to Notifications, Location, Camera, etc., where they could either allow or deny access.

In Safari 16 and Firefox 115, by default, permissions for Location, Camera and Microphone are granted for the duration of the current user session. Users have to explicitly allow access for longer periods of time.

Chrome takes a slightly different approach, one that is similar to what the mobile operating systems provide:

If a user chooses Allow this time, the web app will be granted access to location updates until one of the following happens:

• The browser tab was closed.
• A period of 16 hours has passed since the permission was granted.
• The browser tab was in background for more than 5 minutes. For permissions that are allowed in the background, such as Camera and Microphone, this 5-minute timer starts after the use of camera or microphone stopped.
• The user revoked the permission in Settings.

Note that permissions are also reset after a website or web app has not been visited for an extended period of time, regardless of the permission being granted One-time or Always.

Best practices

Although users can already revoke permissions at any time, these time-limited access permissions mean they can (and will) be revoked automatically.

A couple of things to consider:

• Do not ask for permissions before it is clear why your web app needs access. If the need for access to, for example, location or camera is not immediately clear from the user's interaction flow, consider using an explanatory dialog.
• Do not assume that a prompt status for a permission means the user never granted that permission before. It might mean they only allowed access once, or reset the permissions in the browser's settings.
• Do not assume that a granted status for a permission means the permission was granted forever. There is no way to make a distinction between One-Time and Always.
• Take into account that permissions may be revoked, reset or expire at any time. Consider using the Permissions API to listen for changes through the onchange event listener.

navigator.permissions
  .query({ name: "geolocation" })
  .then((permissionStatus) => {
    console.log(`geolocation permission status is ${permissionStatus.state}`)
    permissionStatus.onchange = () => {
      console.log(`geolocation permission status has changed to ${permissionStatus.state}`)
    }
  })

Try it yourself

Google started gradually rolling out the one-time permissions with Chrome 116. To make sure your browser asks for one-time permission:

• Install the latest Chrome 116 (or later)
• Visit https://permission.site/one-time. Click the Geolocation button.
• Select Allow this time.
• Click on the Settings drop-down (next to the URL). You will notice the Only this time setting.
• Close the tab (or put it in background and wait 5 minutes) and reopen. You will notice the permission has been reset.
• If the permissions dialog does not show Allow this time, your browser has not yet been included in the roll-out. Open chrome://flags/#one-time-permission and select Enable. Restart Chrome.

Conclusion

Just like apps on the mobile platforms, your web apps can be granted permission to access sensitive data only once, or at least temporarily.

Because users do not have to make a decision to either allow access all the time or not at all, this will potentially increase the number of visitors that allow the use of their location or camera when there is a need.

As always, we hope you liked this article, and if you have anything to add, we are available via our Support Channel.