Absolutely blown away by the number of things you can do from a web browser these days. All of this would've been unimaginable a mere 10 years ago, right around the time when Google Chrome was in its infancy (or just out of it, to be precise) and the web browser market was still dominated by Internet Explorer, with Opera, Firefox and Safari (back when there was a Windows version of Safari) taking up small slices of the market share.
Another cool site to check out: https://coveryourtracks.eff.org -- a great tool to see how unique your browser's 'fingerprint' is and how well it protects you from trackers and other annoyances online.
I'm so glad. I trust running whatsapp.com, messenger.com, slack.com, discord.com, bluejeans.com, zoom.com etc.. I do not trust installing the Whatsapp app, slack app, discord app, zoom app, or bluejeans app. In the browser I have control, native (at least on Windows) I don't. Those native apps, at least on windows, can basically do anything. Read my entire hard drive, scan my network, install a key logger, turn on my camera and mic, etc.... In the browser they can't
Facebook is the #1 offender in my opinion. I absolutely refuse to install any Facebook app. Back in the day, you could message people in the mobile browser without issue. Heck, it even loaded new messages without needing to refresh.
Then they decided you should need the app to message people.
Then they decided you should use a completely separate app to message people versus browse Facebook.
Now I have to use mbasic.facebook.com to message people. The quality of the experience dropped so much because, but I'm glad they don't have access to my contacts, text messages, location, etc. They get enough info about me from other sources.
Yup, this exact timeline of degraded experience on Facebook led me to disable my account. I haven't reactivated it in over a year, and I'm happier for it.
What kills me is I recall the mobile browser experience being better in the 2012 era than 2021. We've moved from alright 3G to widely available 4G with populous areas having 5G, and with home internet connections generally being much faster. The same website code could provide a much better experience simply from more bandwidth availability. Instead we've regressed because everything needs an app now.
Some forum software allows the owners to create an app then prompts you to install their app. Not sure which it is, but it's super annoying.
Over the last couple, reddit has significantly limited their mobile website utility, requiring login (like Instagram) and nagging you to download the app.
Marketing metrics seem to have overcome usability in terms of relative importance. It's really frustrating to see what the movie computing environment has become.
I asked my dad to send me a picture of his shed recently. He asked if I have WhatsApp. I reminded him I don't use any social media. And he said, uh, it's going to be very hard for me to figure out how to send it without WhatsApp..
No shed picture. But no compromises here either.
Also I find it totally hilarious that I'm 42 and I have never even seen WhatsApp's interface yet my 80 year old father is a social media expert in a lot of ways.
Yeah I agree with the spirit of that. There should be a name for that practice, something that makes it sound as bad as it is but catchy. Maybe, something like webhostaging. Reddit’s webapp on mobile is notorious for webhostaging you into downloading their native app. It’s literally unusable.
There should also be a name for ostensibly public social media sites that webhostage you into signing up. Instagram comes to mind.
"webhostaging" is a much catchier name than the other suggestions in sibling comments, I think, and more memorable because it sounds weird (a bit like "webhosting"?).
It's so clever I think I'll start using it, and also telling people I came up with it by myself.
I think a verb-oriented word is more powerful at shaming than a noun-oriented word. I think Crap is a little too vulgar to appeal to most people, some might feel uncomfortable at work saying crap for Instance. But try it out!
Yes there needs to be a single use site for this. Everyone is familiar with this , it just needs a catchy name so people on Twitter spread this and easily shame websites en masse for doing it. Webhijacking is too similar to webjacking IMO https://www.geeksforgeeks.org/web-jacking/
Slack, too. Slack has a perfectly good workspace sidebar in their web app, but they hide it unless you're on a Chromebook (where you can't install their native app).
Depends on your Chromebook, I have a Acer R13 and it's installed and running (just checked it). Android app's don't have a designated "runs on Chromebook" Flag as far I know, so you can't really block it.
But Chromebooks are sometimes a little bit special. I'm working on a app right now which is designed for tablets and wanted to check if I could run it on my Chromebook, because of the bigger screen (13" compared to Samsung S5/S6 with ~10") and I couldn't install it from the alpha channel. The thing was, it has a camera, a front camera, but the Manifest.xml required the default camera permission which was missing and this prevented me from even finding the app in the PlayStore.
And Slack as app is basically only the website. All the "native" apps seem to just render it (Linux, MacOs and Windows are Electron apps, the Android version feels like a WebView)
I think the eventual limitations on 3rd party apps are coming. A major part of the community has used/ is using the superior 3rd party alternatives, and they need to figure out how to nullify those advantages. It is inevitable because they want that sweet advertisement money for which 3rd party apps are a barrier.
It's a shame Firefox just ditched the SSB project instead of fixing the bugs and making it visible for PWA use. They say it's because people weren't using it, but it was another thing that was hidden behind about:config and had some glaring bugs which two strong reasons why people probably weren't using or even know about it.
Indeed. They're sandboxed and you can alter the webapps in the browser. I mildly edit the CSS of most of the websites I frequently use over time with Stylus.
As long as those apps will run in my web browser, I'll run them there. I don't install any of their "native" apps.. Although Google Meet is getting very difficult to run in Firefox. Crashes all the time.
I'm going to try to capture a crash report and send it to you.
I should note that it's not a "crash" -- it's just that I get immediately disconnected from the meeting when I have my video + audio on and then someone else joins. I'll try to get some repro steps and send to you!
Doesn't google meet not have a native app? We use Google Meet at work and using a browser to screen share a browser or IDE window seems to absolutely peg my CPU no matter which browser I use.
I have no love for Zoom but at least they have a desktop app so I can screen share without bogging down my whole machine
Google meet crashing is interesting. I use it literally every day for meetings and I run Firefox as my primary browser (on Linux though, if that matters). I can't recall ever having a crash from it.
I ran into the issue recently where Zoom's web client wouldn't display my camera's correct aspect ratio. Their full client (on a burner laptop, don't trust them) had a setting to fix it.
It’s true that installing a native app requires a lot of trust, but on the other side of the coin, it’s not currently possible to do end-to-end encryption securely in a web app, and content in web apps is vulnerable to browser extensions with blanket permissions (there are many ubiquitous ones). Web apps also don’t have access to the OS keychain or any ability to set file permissions, meaning they can’t store local data securely without help from a server.
So if you want real data privacy, you need a native app, despite the drawbacks you point out.
The key difference is running a signed, static bundle of code (or binary), rather than a bunch of code that is loaded dynamically from a server on every request, which can be modified without leaving any trace.
So running WASM wouldn't make any difference if you're relying on a server to deliver you that WASM on every request. A compromised (or subpoenaed) server could simply ship you a compromised WASM payload for a single request and you'd be extremely unlikely to ever find out. If Signal wanted to add a backdoor, otoh, they'd need to ship it as a signed update to all their users, with all the reputation risk that entails.
Whether a native app is simply a browser underneath doesn't matter, just how the code gets delivered to the user. Even a browser extension or chrome app could work, since they are run from a signed, static bundle rather than from a server.
Encrypted media streams seem like a DRM feature? I don't think they have any relevance to end-to-end encryption.
I completely agree. MacOS, atleast since Catalina, has been seeking more specific permissions for apps which is good.
One particular video conferencing software asked for permission to read key strokes from any process! A very weird request. The only non-nefarious use case I can think of is that they want to allow keyboard shortcuts to work even when their app isn't in the foreground.
That seems really problematic though. I could be on a text editor, or the terminal or anywhere else requiring text input and might not be expecting this behaviour.
I don't get why Apple doesn't provide an API for registering global key bindings. All it needs is user permission for a binding to be registered, and some kind of preference pane that shows you an overview of registered bindings.
They can't? There's a setting in Firefox "Block new requests asking to access your camera" that you have to enable explicitly.
I'd rather have a browser that cannot access these things at all. Now I've to hope that the permissions work and the implementation is bug-free (my trust in that is quite low, browsers are too large).
If you don't select that setting, is the default to always allow, or ask every time? If the latter, then the setting is just a convenience for those who always expect to select "deny", rather than any broadening of permissions.
But you can put your computer behind Pi-hole or add some of Pi-hole's lists to your hosts file, which would prevent them from communicating with tracking domains completely... unless they also bundle some sort of a proxy or a VPN.
whatsapp, messenger, slack and discord are all just electron, so almost identical anyway. Zoom has extra desktop features. Teams is has slightly more stuff on desktop, and it's electron.
Note that coveryourtracks will be biased towards people who are private. It's a good way of identifying information that you're leaking, but you'll also see stats like 1 in 11 users disabling Javascript, which is just not representative of most of the web -- 10% of users on most sites are not disabling JS.
It's still very useful, but don't take every single number it reports as gospel. It's tracking how unique you are among people who purposefully visit a fingerprint testing site.
I casually browse with Js disabled. Everyone should. It’s a security nightmare to casually surf the web with Js enabled once you realize the frequency of WebKit/blink zero days being disclosed per month. iOS watering hole attacks are especially prevalent, even if those exploits tend not to be persistent. They just need to steal all your info once. Exhibit A: https://www.bleepingcomputer.com/news/security/google-warns-...
There are a lot of advantage to browsing casually with Javascript disabled, assuming you're OK with needing to manually fix some of the sites you visit. I browse that way myself as well; that's why I can see the results I see when I load up the tracking site. Side note that UMatrix is officially deprecated at this point, but it's still a great resource for disabling scripts globally and enabling them site-by-site as needed.
But 1 in 11 people on the web are not disabling Javascript.
I just tried cover your tracks. What's blowing my mind are the "System Fonts" field. As a designer, I constantly download fonts, and it makes my browser extremely unique it seems.
This is why Safari only exposes pre-installed fonts that come with the system to web content; it removes what can be a very unique fingerprinting data point.
I found out about screen-sharing through browser when I started using Discord app on the web. Was a very revealing moment for me when it came to insane advances in web technology.
10 years ago it would have been unimaginable, but 20 years ago you could have done all of this with ActiveX controls.
(Oh and yeah 20 years ago I had AJAJ by just loading the target URL in a hidden/offscreen iframe and reading its contents programmatically. Never mind the fact that I could also read contents from the user's hard drives ... although I didn't use it for this)
You say that like the web hasn't been. Hell, even if everything always worked properly, there were not XSS attacks, and users weren't easily fooled, the web would still be full of malicious actors in the form of tracking and advertisement.
Remember, we invented pop-up blockers because advertisers abused it, and we've been in an arms race with those assholes ever since. Tracking and ads in desktop apps came from the web ecosystem and now we're stuck with it.
I don’t think you can equate the two. ActiveX was barely sandboxed... in fact I’d like to say they were not sandboxed at all. They were native code running basically as root on your machine.
It was something that came back when Microsoft was still convinced the internet would be a fad. Those activeX things could do all sorts of fun exciting things on your computer.
Oh ActiveX was definitely worse, I should know since I was using the internet plenty when it was prominent. My point is, though, that malicious actors still basically control the web. They may not be executing native code without any controls, but that doesn't mean that the modern web isn't still their playground.
Oh yeah speaking of popups I once made a horrendous bouncing image script for IE 5.5 that allowed images to fly around your screen outside the browser window.
There are many negative things that could correctly be said about Javascript.
But this? This comment is absolutely special.
ActiveX controls were native code, with full system access by design. Possibly even worse, it was an absolutely blatant attempt by Microsoft to monopolize the web and maintain Windows' and Internet Explorer's dominance, as the controls were of course (in practice) intimately tied to IE on Windows on x86.
It was incredibly common to see Windows installs utterly compromised by ActiveX controls doing god-knows-what, to both the infected computer and every other computer on the corporate network.
The damage to individuals and the economy in terms of lost productivity and compromised personal information directly attributable to ActiveX's "compromise my system by design" nature is incalculable.
To compare that to Javascript is rather spectacular.
If you want to argue that Javascript has been able to wreak more damage over time precisely because it's not as objectively insane and immediately destructive as ActiveX, well fine. It could be said that Javascript is Covid-19 to ActiveX's ebolavirus. Ebola is so wantonly destructive that it kills many of its victims before they have a chance to infect others, whereas Covid's less-awful nature has actually allowed it to harm more people over time and is now probably here to stay, like influenza.
Flash was an abonimation, yet you could disable it with barely any consequences. Same with ActiveX.
This was very nearly not the case.
IE/Win had close to 100% market share at one point. We were a hair's breadth away from a future where you could, in fact, not disable ActiveX without shutting yourself off from much of the web, like Javascript today.
South Korea was actually there for a time. If you wanted to spend money online, various regulations meant running ActiveX was a requirement.
Not that common. A bigger plague (though somewhat later if my memory seves me right) was toolbars that was sneaked into every other application.
The power consumption alone of JavaScript easily shadows that. Pretty much no desktop computer in the world can go in lower sleep states because of javascript "idling" in the background. And a decent percentage of CPU cores are constantly pegged at 100%. Imagine the number of batteries that has prematurely died because of the stress of javascript - when all the user wanted was to read static text.
Enabling ActiveX for your bank site is hardly the same. The real issue was running it on another OS than windows. Happily trade it for what we have today though.
I miss the old internet too. But think about the way things were trending, and the way they have trended.
Online commerce, content delivery, and advertising are what, multiple trillions of dollars' worth of business?
Once the web/internet became established and began trending toward ubiquity, companies were clearly always going to invest a lot into vying for our dollars and eyeballs. Without viable competition in the form of web standards, Javascript, and operating systems besides Windows it's almost certain that the evolving web would have leaned into ActiveX and/or Flash and made them essentially a requirement in much the way that Javascript is currently a requirement today.
The timeline we're living in is not ideal, and I really dislike Javascript for a number of reasons, but it's also one of the primary reasons we're not living in an even worse timeline.
There was always going to be something like Facebook. Now imagine Facebook... except powered by ActiveX instead of Javascript. Apologies if you just vomited as violently as I did while typing that. But when you talk about gladly trading Javascript for ActiveX, that's the sort of absolutely ruined world you're pining for.
But ActiveX didn't die because of competition, it died because it was terrible. The same fate happened to java applets. There was no real mainstream momentum for either.
For sure things would have been different if Microsoft had really tried to exploit their monopoly. But they just left it there as if waiting for the competition to catch up and surpass.
Flash could have been it, not that flash was much better but at least you could read text without it.
It could be that anything would be made to suck. But it doesn't really follow that money means tracking to this extent and come with such poor user experience. With trillions of dollars on the line we make it so slow it is barely usable. Oftentimes there are many layers of popups and checkboxes just to get at the content. And somehow that is worth it? The incentives are insane. Tragedy of the commons is putting it kindly.
Dark patterns are at an all time high. The techniques in the nineties used by criminals to trick you into running that attached executable in outlook express are now finessed by the largest corporations to trick you into allowing them to track you even more. On top of that the monoculture situation is pretty terrifying.
I wouldn't bet on humanity not being able to make it worse but it is hard to accept the state that we are in.
> South Korea was actually there for a time. If you wanted to spend money online, various regulations meant running ActiveX was a requirement.
This playbook is happening again in China now. Not with ActiveX but with WeChat and AliPay. It's increasingly difficult to live there without either of the two apps and I think it does not bode well for the future for society to be reliant on two private corporation apps for basic needs, in the same way that it was not a good idea for the world to be dependent on ActiveX 20 years ago.
Tons of business apps were written in ways that required activeX. It was one of the main reasons so many companies held on to ancient versions of IE.
Sure you could disable activeX but in practice it would have been rare.
People bitch that sites don’t support people who disable JavaScript but it really isn’t worth catering to that type of person. I’ve been in multiple shops where we had the debate about how to handle non-JavaScript clients and every single time all the developers agreed it wasn’t worth the hassle.
This includes companies who had blind developers using screen readers and companies that had major legal liability if the site wasn’t accessible. The “screen readers don’t support JavaScript” argument has been dead for years now. The only people without JavaScript are those who intentionally disable it.
It’s just not worth building what is almost a second website for incredibly tiny amount of non-JavaScript viewers out there.
Yes, and that was for internal use on the intranet. And yes, it was a huge problem that they insisted on using such old versions of IE, but that was the issue - not ActiveX.
Perhaps the question should have been, why make a special version for the ones with javascript?
Year after year the web remains my favorite platform to use and develop for. No other platform comes even close to the compatibility, reach, staying power as the web. Here's to 100 more years of the web (or something web-like in the future).
But I'm afraid we're in its dying days, at least as far as the original ideals of the web were concerned.
In our rush to make browsers more powerful application platforms rivaling operating systems themselves, we raised the bar so high that we ensured the web's destruction: by guaranteeing that it would eventually be effectively controlled by a single browser maker.
In practice, this was probably always going to be Google, but if it wasn't Google it would simply have been some other Google-sized player.
I'm still trying to figure out whether these capabilities are a good thing or a bad thing. On the positive side, what can be done through a web browser is absolutely amazing and web browsers offer finer grained control over resource access than the typical desktop operating system. On the negative side, most of these capabilities have privacy and security risks that are disproportionate to their value in a medium that is primarily used for media consumption.
It's so sad that such amazing features are often abused more than they are actually used. It's always a cat and mouse game with the browser vendors and ad makers.
Like web push notifications and popups are two really useful features but the amount of abuse they have had to endure is amazing. Every shitty site from newspapers to reddit to facebook must show a dark screen and ask me to subscribe to web notifications before i can see anything.
Then there are hidden APIs for which no permission is needed, like trapping of the back button (where a site gains access to my browser's back button and won't let you go back) and page close button (where it shows a popup asking you to confirm you want to leave).
Push notifications in Safari just suck because the discoverability method is a dialogue box that interrupts and blocks all other user actions.
The browser should never let a website interrupt unless allowed by the user. Place a bell icon in the address bar and make it translucently balloon up when triggered for visibility.
Side note: Browser interface should stay outside the untrusted zone of web content. Whenever it can't, interface could have an unobtrusive unimitable background pattern extending from the trusted zone into the untrusted zone. The user should always know what is browser or website.
Well, in the case of news, they need to make money. If they can’t show you ads, you are of zero value to them, only adding to costs (and I hate the practice just as much)
What I want since forever is a tipjar that works well. I put a bit of credit into my tipjar. I read an article and at the halfway point it allows me to tip an amount. Should be anonymous if I want and a one or two clicks affair.
Doesn't include motion sensors, I think there might be a few other recent additions also missing.
Of all the sites on Earth that I could learn this existed in the browser, it was rolling stone, with some generic static article on something I can't even remember.
Why exactly does a magazine need access to my gyroscope, magnetometer and acceleration sensors? Especially considering that I'm on a desktop that thankfully doesn't have such things.
Unless the page has some feature that obviously uses accelerometer features, it’s 100% that, no cynicism necessary. This is a not-uncommon fingerprinting technique.
> I'm stunned how often I get the permission prompt on completely unrelated websites.
I have the same problem and found that the embedded Vimeo player assumes all videos could be played in VR, although the video is a normal, flat video, so any webpage embedding a Vimeo video, prompts that permission notification for me, although the actual video could be on a different page but still initialized on page load.
It was unknown to me until last week that web browsers can now share screens--I mean the whole desktop! I had to do a webex session, and I assumed I needed either Chrome or some kind of native app to do screen share. But, to my pleasant surprise, webex worked well with Firefox!
Also new to me is 'pointer locking'. I wonder/wish if/when browsers would be able to transparently pass key bindings that'd otherwise be captured by the OS, like Alt+Tab. Then, just by visiting a website, I could use, for example, Citrix desktop remote login through my browser as if it were a native app.
There is a keyboard lock api, and you can capture Alt+Tab, but only when you're already in full-screen mode. Mostly Chrome only: https://caniuse.com/mdn-api_keyboard_lock
Chrome remote desktop has quickly replaced teamviewer, vnc, ms remote desktop and osx screenshare for me, in one fell swoop!
Most significantly for helping other developers (usually just to undo a git state :)
The mouseover effect on the HTTP/HTTPS toggle is very annoying. It makes it hard to ascertain which mode you're actually in while the cursor is anywhere near it.
This will happen in most browsers (I’m on Safari 14, macOS 11.2). The popup-blockers in most browsers will allow a popup if it is opened directly because of user input, such as a button click — a fairly simple measure which can be implemented by only allowing certain APIs to work within an event handler, for example.
There are a few Web APIs which work this way — for example, you can’t make a page fullscreen unless you do so in response to user input/interaction [0].
It appears as though you click on each button and see what color the button turns. If the button turns red the site doesn’t have the permission to do what the button says. If the button turns green then the site can do what the button says.
I found it interesting to see what happens on safari on iOS after each permission was requested. About 1/3 did nothing, a few of them were denied without a prompt, a few of them were as expected. And a few of them had weird prompts like the pan/tilt on asking for camera permission.
Was also interesting to see webauthn ask if I wanted to allow a site to use faceid which I didn’t know was even possible
Yeah WebAuthn is really neat! Unfortunately many sites still don't think iOS supports it so I have to use my auth app instead of my YubiKey on those sites when on my phone.
I guess this rabbit hole continues if one asks what the point of such testing could be. One thing I'd find useful is that I could take screenshots (or live demo this site) if I was doing some non-web-development thing such as doing a presentation and wanted to explain WebAuthn flow or something.
Because if I was a developer doing development, I'd test browsers with what I developed.
Or maybe you are a developer of that is using one of the features for the first time. Now you can check out the permission flow without having written any code. Similar to live examples in MDN.
It's a handy way for developers to compare the web permissions that different browsers support, and to be able to quickly see what the permission UI looks like.
So many permissions, but meanwhile autoplaying video and audio is still hidden behind a horrible heuristic model in Chrome that fundamentally prioritises internet giants like YouTube, Netflix and alike.
There is this philosophical dilemma. Should your Stark-trek-inspired food-machine be able to load recipes from an URL, using a standard recipe-format, or should an URL on your computer device load an app that connects to the food-machine... ? eg. static web with different kinds of formats and devices - versus web-apps and API's
I think so far the best setup Ive seen of this for browser restriction for a session is with running the browser in firejail. https://github.com/netblue30/firejail
I would like to be able to take a screenshot of the user page (with their permission) using native APIs, that would be amazing for sharing content, bug reporting, etc. Google has a feedback tool that leverages html2canvas.
Funny, this URL reliably crashed my tab in FF 86.0.1 on Linux (with Wayland). When trying to open the debugger console I suddenly got the annoying 'firefox has to update' page, that updated to 87.0, and now it works.
No, if you just need to read some text a lot of sites function with JavaScript disabled. Also, you can permanently enable sites, so often it is a one-time flip of the switch.
I think (but never really researched and enabled it) you can also have it run in whitelist mode by default, so that you can disable JS for specific sites.
...and after that first pass of enabling only what's needed to get a site to work sufficiently well, that site tends to be significantly more pleasant to use in future.
I enabled JS for just eff.org, and coveryourtracks tells me I'm still spewing 17.12 bits of fingerprint all over the internet. I suppose it'd be possible for a browser to randomly rotate stuff like user-agent through multiple common values to mitigate that.
No, it makes sense. "Copy this" buttons are common on websites, but probably require a button click to initiate. Since you clicked on a button, you provided the input necessary to copy to the clipboard.
Theoretically, a bad actor could have a site or even inject code onto a site with an innocuous looking bash command, but upon copy injects say, rm -rf ~ \n
Seems like this requires you to select some text (which includes some text that's been hidden using CSS tricks) and copy it. So it's not like the website can just arbitrary write to your clipboard without your interaction? (Still, this is kinda scary and I didn't know about this.)
Is it? When I click the "Write" button, it turns green, but when I click "Write (delayed)", after a while it turns red. So it seems (at least on Firefox 87) even the clipboard write API is restricted to user-action event handlers.
It’s also a privacy issue. Google’s Firebase Dynamic links is using it non-maliciously to survive app installs for deep linking(when the app is not installed it helps you redirect the user to the correct screen after the install), however any webpage can actually put something on your clipboard and match you on an app by reading your clipboard.
With iOS14 at least we can tell when apps are reading the clipboard.
Seems like a great method to social engineer people into copying to clipboard something that will install a trojan, get them to open a command prompt and paste it, in the general concept of curl piped into a shell.
There is no way that 'pointer lock' should be something you can just click and get your pointer hijacked. You could label that button anything or make it any clickable element. Who the hell at web browser developers thought that was a good idea to implement?
Why not have a "Do you want to allow this site to take control of your pointer?" prompt, same as when a site first wants to use your microphone or camera?
I get a "$WEBSITE has control of your pointer. Press Esc to take back control" message in Firefox when that happens, and the message is pretty big and in your face. Does other popular browsers not have this message? Solves the problem in an elegant way.
Interestingly, in Firefox, if I trigger the Protocol Handler permission and then Pointer Lock, the Pointer Lock notification is hidden by the Protocol Handler bar. Seems like this could be abused.
There are a ton of use cases that demand it, so it was added a long time ago (around the same time as Fullscreen, I think). The current user experience for it (opt-out instead of opt-in) has likewise been around for ages. I think I remember seeing an explicit permission prompt very early on but they got rid of it.
"You could label that button anything" sadly applies to a significant number of dangerous things a website can do, pointer lock is not near the top of the list.
Another cool site to check out: https://coveryourtracks.eff.org -- a great tool to see how unique your browser's 'fingerprint' is and how well it protects you from trackers and other annoyances online.