← All guides

Browser Permissions Explained: What Each One Really Lets a Site Do

A permission prompt is a website asking for a capability it can keep using. Granting is easy to do without thinking, and a granted permission is often reused silently on your next visit. Here's exactly what each one exposes, how it's abused, and how to stay safe.

Updated July 2, 2026 · 6 min read

Location — your exact coordinates

Granting location gives a site GPS-grade coordinates, often accurate to a few metres — far more precise than the rough city it can already guess from your IP.

  • Abuse: pinning your home or workplace and selling it to data brokers.
  • Abuse: stalkers or abusive partners tracking your real-time location through a shared or spoofed page.
  • Abuse: location-based price changes and 'local' scams.
  • Safe default: set Location to 'Ask', grant only to maps/delivery sites you trust, and revoke afterwards.

Camera — silent photos and video

Once granted, a site can capture images or video while its tab is open, with only a small hardware indicator as warning.

  • Abuse: covertly recording you, then demanding payment not to release it (sextortion).
  • Abuse: reading documents, faces, or surroundings for identification and profiling.
  • Safe default: grant only during an active video call, revoke when done, and physically cover the lens.

Microphone — listening in

Microphone access lets a site record audio near your device, and a one-time grant can persist across later visits.

  • Abuse: eavesdropping on nearby conversations or capturing spoken passwords.
  • Abuse: recording audio for blackmail.
  • Safe default: set Microphone to 'Ask' and remove access for any site that doesn't strictly need it.

Clipboard — reading what you copied

Clipboard access lets a page read whatever text you last copied — which is often a password, a 2FA code, or a crypto seed phrase straight from your password manager.

  • Abuse: harvesting copied secrets the instant you paste.
  • Abuse: swapping a copied wallet address or IBAN so your payment is redirected.
  • Safe default: block clipboard access, and never paste secrets into pages you don't fully trust.

Notifications — a channel into your device

Notification permission lets a site interrupt you with system-style messages any time, even after you've closed the tab.

  • Abuse: fake 'virus detected' or 'you won a prize' alerts leading to scams and malware.
  • Abuse: pop-ups disguised as messages from your operating system.
  • Safe default: block notification prompts globally — almost no site genuinely needs them.

The golden rule

Deny by default, grant per-site only when you actively need the feature, and audit granted permissions periodically in your browser's site settings. A permission you forgot you granted is a permission that can be used against you.

Frequently asked questions

Does denying a permission break websites?
Rarely. Well-built sites degrade gracefully when you deny a permission — a maps site simply asks you to type a location instead of reading GPS. If a site refuses to work without camera, microphone, or location it doesn't obviously need, treat that as a red flag.
If I granted a permission once, can the site use it again later?
Usually yes. Most browsers remember a granted permission for that site, so it can be reused on future visits without prompting you again. Review and revoke old grants in your browser's site settings.

Sources & further reading