Notification permission requests from cross-origin <iframe> are now disallowed

Published: | Categories: DOM


Starting with Firefox 70, requests for the desktop notification permission will all be denied when the Notification.requestPermission method is called from a cross-origin <iframe>. Once blocked, no prompt will be displayed and web console logs a warning. According to Mozilla’s Telemetry, such permission requests are less than 0.03%, so the compatibility risk should be very low.

In the future, requests from a same-origin <iframe> may also be denied. If you need a permission, make sure to request it from a top-level document.