Sites have been replacing the actual API request with a HTML5 overlay, precisely because of this - only when clicking "notify me" does the actual permission get requested, with the requisite dialog.
(The rationale is "once the permission is denied, there's no way to bring it up again; a dismissed HTML5 box can be brought up again an infinite number of times")
As for me, I went for WebAPI Manager, which blocks most of the annoyances (Vibrate API? Never saw anyone outside malvertising use that), while still allowing me to manually whitelist sites.
I actually came up with a decent use for the vibrate function on this control [0]. It's a clickwheel type interface for picking an altitude. When the number changes it triggers the vibrate function making it easier to use the interface without looking.
I've linked a demo below with the following caveat, this demo was set up exclusively as a mobile interface and still needs plenty of work. One of the issues is the clickwheel size is initialized as a percentage of the screen height when the page loads. So if you resize the window significantly or switch to mobile mode in dev tools, you must refresh the page to get the clickwheel size to adjust accordingly.
And as app builders you have to explain people how to enable the permission anyways if people try to e.g. use their current location. Luckily since a few versions now, iOS allows apps to directly open a certain settings page, e.g. location services.
Same dark pattern as phone apps that ask for permission with their own dialog then bring up real one or ones that ask for a rating but only send you to real app store rating system if you'll rate them highly.
Been trying to decide whether to do this myself, this really a dark pattern?
We're not asking until until they try to use the feature that requires location, but are using the additional pop-up. Rationale being that they probably want to allow it or they wouldnt be using app, and making it so they dont mistakenly deny and have to mess with setting is really more of a convenience.
But ya it does seem to go against the OS defined behavior.
Instead of obtruding modal, there should be just a little icon in address bar notifying that notifications are available, like some browsers used to notify about available RSS feed.
Even discord and slack I don't want browser notifications. Inside their own tab, I can deal with ui elements. There's no need nor no want to have a page alert outside of the web page itself.
It can be useful when you get mentioned, like for example, a user has pinged the moderator role where a quick reaction will be necessary. Desktop notifications can significantly reduce reaction time to important events (though, assuming you do the sane and set Discord to only notify you on mentions that aren't @here or @everyone)
Study websites reminding me that it is time for my next study session are great for establishing the habit of doing my studies.
When I was single I would have had time for 3 of them - total in my life. I think systems should automatically block all requests for notifications if you already have 3 since it is not possible for more than that to be useful. (the exact number is debatable, but 3 is close). Note that I said systems - I want firefox, chrome, ie, safari to work together across all the computers I have to keep the number down - for security reasons I understand they cannot but that would be ideal.
But we are in an age where any random website wants to send you realtime push notifications.
Instead of pestering you with an overlay that takes up screen real estate, the browser should indicate what subscription options are available for a page, e.g. in the address bar next to the page info icons.
I agree, this was bothering me too. But they implemented it all or nothing. If I disable it in preferences it is completely disabled, no way to activate it for a single site.
They should have disabled the popup, but still allow me to activate it on a per site basis by clicking on the ⓘ in the url bar.
Same for location, webcam and mic. I don't want sites to nag me with the location sharing notification, but on google maps I would like to enable it manually by pressing the ⓘ and granting permission.
I've been using the beta 59.0bxx series for quite a while and there are plenty of fun settings in about:preferences and about:config. One very important setting from preference, as I push those I know to adopt password managers, is the "Remember logins and passwords for websites" checkbox (don't save them in the browser). Another important security related setting for those with relatively new 2fa tokens is the "security.webauth.u2f" setting in about:config (still set to false by default with Firefox 59).
(The rationale is "once the permission is denied, there's no way to bring it up again; a dismissed HTML5 box can be brought up again an infinite number of times")
As for me, I went for WebAPI Manager, which blocks most of the annoyances (Vibrate API? Never saw anyone outside malvertising use that), while still allowing me to manually whitelist sites.