Browser Permissions Explained: What Each One Really Lets a Site Do
A permission prompt is a website asking for a capability it can keep using. Granting is easy to do without thinking, and a granted permission is often reused silently on your next visit. Here's exactly what each one exposes, how it's abused, and how to stay safe.
Updated July 2, 2026 · 6 min read
Location — your exact coordinates
Granting location gives a site GPS-grade coordinates, often accurate to a few metres — far more precise than the rough city it can already guess from your IP.
- Abuse: pinning your home or workplace and selling it to data brokers.
- Abuse: stalkers or abusive partners tracking your real-time location through a shared or spoofed page.
- Abuse: location-based price changes and 'local' scams.
- Safe default: set Location to 'Ask', grant only to maps/delivery sites you trust, and revoke afterwards.
Camera — silent photos and video
Once granted, a site can capture images or video while its tab is open, with only a small hardware indicator as warning.
- Abuse: covertly recording you, then demanding payment not to release it (sextortion).
- Abuse: reading documents, faces, or surroundings for identification and profiling.
- Safe default: grant only during an active video call, revoke when done, and physically cover the lens.
Microphone — listening in
Microphone access lets a site record audio near your device, and a one-time grant can persist across later visits.
- Abuse: eavesdropping on nearby conversations or capturing spoken passwords.
- Abuse: recording audio for blackmail.
- Safe default: set Microphone to 'Ask' and remove access for any site that doesn't strictly need it.
Clipboard — reading what you copied
Clipboard access lets a page read whatever text you last copied — which is often a password, a 2FA code, or a crypto seed phrase straight from your password manager.
- Abuse: harvesting copied secrets the instant you paste.
- Abuse: swapping a copied wallet address or IBAN so your payment is redirected.
- Safe default: block clipboard access, and never paste secrets into pages you don't fully trust.
Notifications — a channel into your device
Notification permission lets a site interrupt you with system-style messages any time, even after you've closed the tab.
- Abuse: fake 'virus detected' or 'you won a prize' alerts leading to scams and malware.
- Abuse: pop-ups disguised as messages from your operating system.
- Safe default: block notification prompts globally — almost no site genuinely needs them.
The golden rule
Deny by default, grant per-site only when you actively need the feature, and audit granted permissions periodically in your browser's site settings. A permission you forgot you granted is a permission that can be used against you.
Frequently asked questions
- Does denying a permission break websites?
- Rarely. Well-built sites degrade gracefully when you deny a permission — a maps site simply asks you to type a location instead of reading GPS. If a site refuses to work without camera, microphone, or location it doesn't obviously need, treat that as a red flag.
- If I granted a permission once, can the site use it again later?
- Usually yes. Most browsers remember a granted permission for that site, so it can be reused on future visits without prompting you again. Review and revoke old grants in your browser's site settings.