[BraveSnoo1028]

Serious question. Since this is going to be enabled by default by Chrome 86, is there any way to block Javascript from using the API? Or force it to ask for permissions? Because it seems like anything that uses the API by default has full access to my filesystem (at least based on the demo on that page). That seems insane. I don't even want anything JS-based to see my filesystem. That's a huge breach of privacy.

[yjftsjthsd-h]

Not exactly what you're asking, but some thoughts:

* There is, for the moment, a flag to disable it, right?

* You could probably just have noscript/umatrix block JS outright (yes, I know this is overkill)

* Sibling comment is probably right in that Firefox is likely to not implement this immediately, if at all.

* You could also do it from the outside by sandboxing the whole browser; this is a somewhat poor mitigation (ex. leaves your Downloads directory wide open), but it could help.

[SAI_Peregrinus]

There's also Luminous[1], which can allow blocking individual JS events (eventAddListener and handleEvent calls). Something like that could also be extended to allow blocking of other API calls.

[1]https://gbaptista.github.io/luminous/doc/en-US/

[RL_Quine]

The simple answer is to not use Chrome.