Perhaps a noob question but doesn't the browser ask for permission to use the microphone? And hence: they can't really listen in if you haven't given it explicitly.
Plus: At least Instagram and Messenger will force you to enable the microphone to let you use the camera even if just to take pictures. Now I always take pictures from the Camera app and simply load it into the app instead of giving them permission to use the microphone.
I can only assume that up until P developers could record both sound and video in the background. That's some scary shit.
[edit] Why isn't there a system level visual indication or audit trail of any camera or mic access? Surely this would be trivial to implement, you could even disable it if you just didn't give a toot about privacy at all.
Indeed. Finally in Mojave Apple is adding direct control over which apps have access to the camera and microphone, but in general iOS is miles ahead of macOS in regards of privacy control.
This is just truly bad if they use the this permission to then record you without knowing! You gave the permission to take a video when you wanted to, not when they want to..
I wonder if the apps and browsers will get a "grant access for 5 minutes" setting, so that one can feel safe with the services of these services. EDIT: Or maybe lock-screen/pulldown-screen (or whatever it's called) notification that has a "remove permission" button so that you can remove it when you're done.
Firefox has both the option of granting the permission only for the current pageload (this is in fact the default behavior!) and exactly the "click the icon and revoke the permission" behavior you are asking for once you have granted the permission. So "browsers" already do this, for some values of "browsers". l)
Many permissions like that are used in ways a typical user doesn't expect. Companies will explain it away by saying you agreed to it in the terms of service, although it's generally acknowledged that almost nobody reads or understands those terms for any company.
For example, most people don't realize that when you give an app read access to your photos, it probably will scan every single one of them for data and upload it to the app's maker. Practices like this are so common that I don't even think the developers understand that they're abusing users' trust.
On macOS Safari, any location request through the browser API (not based on IP geolocation server-side) only gives the option to allow it for a day, not permanently. It's a start.
In Firefox you can grant the permissions once (for the current page only) or grant them forever, your choice. If your browser doesn't offer that choice, that's a problem with your browser.