index.html

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <title>
      Permissions
    </title>
    <script src="https://www.w3.org/Tools/respec/respec-w3c" async class="remove"></script>
    <script class="remove">
      // All config options at https://respec.org/docs/
      var respecConfig = {
        // Working Groups ids at https://respec.org/w3c/groups/
        shortName: "permissions",
        group: "webappsec",
        specStatus: "ED",
        editors: [
          {
            name: "Marcos Cáceres",
            url: "https://marcosc.com",
            company: "Apple Inc.",
            companyURL: "https://www.apple.com/",
            w3cid: "39125",
          },
          {
            name: "Mike Taylor",
            url: "https://miketaylr.com/posts/",
            companyURL: "https://google.com/",
            company: "Google LLC",
            w3cid: "90704",
          },
        ],
        formerEditors: [
          {
            name: "Mounir Lamouri",
            companyURL: "https://google.com/",
            company: "Google LLC",
          },
          {
            name: "Jeffrey Yasskin",
            companyURL: "https://google.com/",
            company: "Google LLC",
            w3cid: "72192",
          },
        ],
        github: {
          branch: "main",
          repoURL: "w3c/permissions",
        },
        mdn: true,
        // See https://respec.org/docs/#xref for usage.
        xref: "web-platform",
        localBiblio: {
          "permissions-registry": {
            title: "Permissions Registry",
            href: "https://w3c.github.io/permissions-registry/",
            status: "unofficial",
          }
        },
        caniuse: {
          feature: "permissions-api",
          removeOnSave: false,
        }
      };
    </script>
  </head>
  <body>
    <h2 id="subtitle">
      Interacting with Permissions for Powerful Features
    </h2>
    <section id="abstract">
      <p>
        This specification defines common infrastructure that other specifications can use to
        interact with browser permissions. These permissions represent a user's choice to allow or
        deny access to "powerful features" of the platform. For developers, the specification
        standardizes an API to query the permission state of a powerful feature, and be notified if
        a permission to use a powerful feature changes state.
      </p>
    </section>
    <section id="sotd">
      <p>
        This is a work in progress.
      </p>
    </section>
    <section class="informative">
      <h2 id="intro">
        Introduction
      </h2>
      <p>
        Specifications can define features that are explicitly identified as a [=powerful
        feature=]. These features are said to be "powerful" in that they can have significant
        privacy, security, and performance implications. As such, users rely on user agents to deny
        sites the ability to use these features until they have given express permission, and
        usually only granting this ability for a limited amount of time. Express permission to
        allow a site to use a powerful feature is generally given and controlled through browser
        UI, as illustrated below.
      </p>
      <figure>
        <img src="docs/assets/images/sample-prompts.png" alt=
        "On the left, a mockup of a notifications prompt with an allow and don't allow buttons that states 'the website example.com would like to send you notifications'. On the right, a prompt near the URL bar asking to give permission to the camera and microphone to the example site.">
        <figcaption>
          Sketches of possible permission prompt types
        </figcaption>
      </figure>
      <p>
        In this sense, a permission represents the current state of user consent for certain types
        of features, and particularly "powerful features". Ultimately the user retains control of
        these permissions and have the ability to manually grant or deny permissions through user
        preferences. Further, user agents assist users in managing permissions by, for example,
        hiding and automatically denying certain permission prompts that would otherwise be a
        nuisance, and automatically expiring granted permissions if a user doesn't visit a website
        for some time.
      </p>
    </section>
    <figure>
      <img src="docs/assets/images/permission-settings.png" alt=
      "A mockup of a settings page that would allow a user to set or reset defaults for location, camera, microphone, motion sensors, and notifications permissions.">
      <figcaption>
        A sketch of a possible site-specific permissions controls UI
      </figcaption>
    </figure>
    <section class="informative">
      <h2 id="examples">
        Examples of usage
      </h2>
      <p>
        This example uses the Permissions API to decide whether local news should be shown using
        the Geolocation API or with a button offering to add the feature.
      </p>
      <pre class="example js" title="Using .state attribute">
        const { state } = await navigator.permissions.query({
          name: "geolocation"
        });
        switch (state) {
          case "granted":
            showLocalNewsWithGeolocation();
            break;
          case "prompt":
            showButtonToEnableLocalNews();
            break;
          case "denied":
            showNationalNews();
            break;
        }
      </pre>
      <p>
        This example simultaneously checks the state of the `"geolocation"` and `"notifications"`
        [=powerful features=]:
      </p>
      <pre class="example js" title="Checking the state of multiple permissions">
        const queryPromises = ["geolocation", "notifications"].map(
          name =&gt; navigator.permissions.query({ name })
        );
        for await (const status of queryPromises) {
          console.log(`${status.name}: ${status.state}`);
        }
      </pre>
      <p>
        This example is checking the permission state of the available cameras.
      </p>
      <pre class="example js" title="Checking permission state of multiple cameras">
        const devices = await navigator.mediaDevices.enumerateDevices();

        // filter on video inputs, and map to query object
        const queries = devices
          .filter(({ kind }) =&gt; kind === "videoinput")
          .map(({ deviceId }) =&gt; ({ name: "camera", deviceId }));

        const promises = queries.map((queryObj) =&gt;
          navigator.permissions.query(queryObj)
        );

        try {
          const results = await Promise.all(promises);
          // log the state of each camera
          results.forEach(({ state }, i) =&gt; console.log("Camera", i, state));
        } catch (error) {
          console.error(error);
        }
      </pre>
    </section>
    <section>
      <h2>
        Model
      </h2>
      <p>
        This section specifies a model for [=permissions=] to use [=powerful features=] on the Web
        platform.
      </p>
      <section>
        <h3>
          Permissions
        </h3>
        <p>
          A <dfn class="export">permission</dfn> represents a user's decision to allow a web
          application to use a [=powerful feature=]. This decision is represented as a permission
          [=permission/state=].
        </p>
        <p>
          <dfn class="export">Express permission</dfn> refers to the user
          [=permission/grants|granting=] the web application the ability to use a [=powerful
          feature=].
        </p>
        <aside class="note" title="Limitations and extensibility">
          <p>
            Current Web APIs have different ways to deal with permissions. For example, the
            [[[notifications]]] allows developers to request a permission and check the permission
            status explicitly. Others expose the status to web pages only when they try to use the
            API, e.g., the [[[Geolocation]]] which fails if the permission was not granted without
            allowing the developer to check beforehand.
          </p>
          <p>
            The solution described in this document is meant to be extensible, but isn't expected
            to be applicable to all the current and future permissions available in the web
            platform. Working Groups that are creating specifications whose permission model
            doesn't fit in the model described in this document should contact the editors by
            <a href="https://github.com/w3c/permissions/issues">filing an issue</a>.
          </p>
        </aside>
        <p>
          Conceptually, a [=permission=] for a [=powerful feature=] can be in one of the following
          <dfn data-dfn-for="permission" data-local-lt="state">states</dfn>:
        </p>
        <dl data-sort="">
          <dt>
            <dfn class="export" data-dfn-for="permission">Prompt</dfn>:
          </dt>
          <dd>
            The user has not given [=express permission=] to use the feature (i.e., it's the same
            as [=permission/denied=]). It also means that if a caller attempts to use the feature,
            the [=user agent=] will either be prompting the user for permission or access to the
            feature will be [=permission/denied=].
          </dd>
          <dt>
            <dfn class="export" data-local-lt="grant" data-dfn-for="permission">Granted</dfn>:
          </dt>
          <dd>
            The user, or the user agent on the user's behalf, has given [=express permission=] to
            use a [=powerful feature=]. The caller will can use the feature possibly without having
            the [=user agent=] asking the user's permission.
          </dd>
          <dt>
            <dfn class="export" data-dfn-for="permission">Denied</dfn>:
          </dt>
          <dd>
            The user, or the user agent on the user's behalf, has denied access to this [=powerful
            feature=]. The caller will can't use the feature.
          </dd>
        </dl>
        <p>
          To ascertain <dfn class="export">new information about the user's intent</dfn>, a user
          agent MAY collect and interpret information about a user's intentions. This information
          can come from explicit user action, aggregate behavior of both the relevant user and
          other users, or <dfn>implicit signals</dfn> this specification hasn't anticipated.
        </p>
        <aside class="note" data-cite="appmanifest" title="What constitutes an implicit signal?">
          <p>
            The <a>implicit signals</a> could be, for example, the [=installed web
            application|installation=] status of a web application or frequency and recency of
            visits. A user that has installed a web application and used it frequently and recently
            is more likely to trust it. Implementations are advised to exercise caution when
            relying on implicit signals.
          </p>
        </aside>
        <p data-cite="ECMAScript">
          Every [=permission=] has a <dfn class="export" data-dfn-for="permission">lifetime</dfn>,
          which is the duration for which a particular permission remains [=permission/granted=]
          before it reverts back to its [=permission/default state=]. A [=permission/lifetime=]
          could be until a particular [=ECMAScript/Realm=] is destroyed, until a particular
          [=top-level browsing context=] is destroyed, a particular amount of time, or be infinite.
          The lifetime is negotiated between the end-user and the [=user agent=] when the user
          gives [=express permission=] to use a [=feature=]—usually via some permission UI or
          user-agent defined policy.
        </p>
        <p>
          Every permission has a <dfn data-for="permission">default state</dfn> (usually
          [=permission/prompt=]), which is the [=permission/state=] that the permission is in when
          the user has not yet given [=express permission=] to use the [=feature=] or it has been
          reset because its [=permission/lifetime=] has expired.
        </p>
      </section>
      <section>
        <h3>
          Permission Store
        </h3>
        <p>
          The user agent maintains a single <dfn class="export">permission store</dfn> which is a
          [=/list=] of [=permission store entries=]. Each particular [=entry=] denoted by its
          [=permission store entry/descriptor=] and [=permission store entry/key=] can only appear
          at most once in this list.
        </p>
        <p>
          The user agent MAY remove [=entries=] from the [=permission store=] when their respective
          [=permission=]'s [=permission/lifetime=] has expired.
        </p>
        <p>
          A <dfn class="export" data-local-lt="entry">permission store entry</dfn> is a [=tuple=]
          of {{PermissionDescriptor}} <dfn class="export" data-dfn-for=
          "permission store entry">descriptor</dfn>, [=permission key=] <dfn class="export"
          data-dfn-for="permission store entry">key</dfn>, and [=permission/state=] <dfn class=
          "export" data-dfn-for="permission store entry">state</dfn>.
        </p>
        <p>
          To <dfn class="export">get a permission store entry</dfn> given a
          {{PermissionDescriptor}} |descriptor| and [=permission key=] |key|:
        </p>
        <ol class="algorithm">
          <li>
            <!-- TODO: PermissionDescriptor equality is not defined (#396) -->
            If the user agent's [=permission store=] [=list/contains=] an [=entry=] whose
            [=permission store entry/descriptor=] is |descriptor|, and whose [=permission store
            entry/key=] [=permission key/is equal to=] |key| given |descriptor|, return that entry.
          </li>
          <li>Return null.
          </li>
        </ol>
        <p>
          To <dfn class="export">set a permission store entry</dfn> given a
          {{PermissionDescriptor}} |descriptor|, a [=permission key=] |key|, and a
          [=permission/state=] |state|, run these steps:
        </p>
        <ol class="algorithm">
          <li>Let |newEntry| be a new [=permission store entry=] whose [=permission store
          entry/descriptor=] is |descriptor|, and whose [=permission store entry/key=] is |key|,
          and whose [=permission store entry/state=] is |state|.
          </li>
          <li>If the user agent's [=permission store=] [=list/contains=] an [=entry=] whose
          [=permission store entry/descriptor=] is |descriptor|, and whose [=permission store
          entry/key=] [=permission key/is equal to=] |key| given |descriptor|, [=list/replace=]
          that entry with |newEntry| and abort these steps.
          </li>
          <li>[=list/Append=] |newEntry| to the user agent's [=permission store=].
          </li>
        </ol>
        <p>
          To <dfn class="export">remove a permission store entry</dfn> given a
          {{PermissionDescriptor}} |descriptor| and [=permission key=] |key|, run these steps:
        </p>
        <ol class="algorithm">
          <li>[=list/Remove=] the [=entry=] whose [=permission store entry/descriptor=] is
          |descriptor|, and whose [=permission store entry/key=] [=permission key/is equal to=]
          |key| given |descriptor|, from the user agent's [=permission store=].
          </li>
        </ol>
        <p>
          A <dfn class="export">permission key</dfn> has its type defined by a feature's [=powerful
          feature/permission key type=].
        </p>
        <aside class="note">
          The permission key defines the scope of a permission grant, which is usually per-origin.
          Powerful features may override the [=powerful feature/permission key type=] to specify a
          custom permission key. This is useful for features that want to change the granularity of
          permissions based on additional context, such as double-keying on both an embedded origin
          and a top-level origin.
        </aside>
        <p>
          To determine whether a [=permission key=] |key1| <dfn class="export" data-dfn-for=
          "permission key">is equal to</dfn> a [=permission key=] |key2|, given a
          {{PermissionDescriptor}} |descriptor|, run the following steps:
        </p>
        <ol class="algorithm">
          <li>If |key1| is not of |descriptor|'s [=powerful feature/permission key type=] or |key2|
          is not of |descriptor|'s [=powerful feature/permission key type=], return false.
          </li>
          <li>Return the result of running the [=powerful feature/permission key comparison
          algorithm=] for the feature named by |descriptor|'s {{PermissionDescriptor/name}},
          passing |key1| and |key2|.
          </li>
        </ol>
      </section>
      <section>
        <h2>
          Powerful features
        </h2>
        <p data-cite="permissions-policy">
          A <dfn class="export" data-local-lt="feature">powerful feature</dfn> is a web platform
          feature (usually an API) for which a user gives [=express permission=] before the feature
          can be used. Except for a few notable exceptions (e.g., the [[[Notifications]]]), most
          powerful features are also [=policy-controlled features=]. For powerful features that are
          also [=policy-controlled features=], [[Permissions-Policy]] controls whether a
          [=document=] is [=allowed to use=] a given feature. That is, a powerful feature can only
          request [=express permission=] from a user if the [=document=] has permission delegated
          to it via the corresponding [=policy-controlled feature=] (see example below). Subsequent
          access to the feature is determined by the user having [=permission/granted=] permission,
          or by satisfying some criteria that is equivalent to a permission [=permission/grant=].
        </p>
        <aside class="example" title="Powerful features are policy-controlled features">
          <p>
            This example shows how the permissions policy set through the [^iframe/allow^]
            attribute controls whether the [^iframe^] is [=allowed to use=] a powerful feature.
            Because `"geolocation"` is allowed, the [^iframe^]'s document can request permission
            from the user to use the [[[Geolocation]]] (i.e., it will prompt the user for express
            permission to access their location information). However, requesting permission to use
            any other feature will be automatically denied, because they are not listed in the
            [^iframe/allow^] attribute.
          </p>
          <pre class="html">
            &lt;iframe src="https://example.com/" allow="geolocation"&gt;
            &lt;/iframe&gt;
          </pre>
          <p>
            See [[[#relationship-to-permissions-policy]]] for more information.
          </p>
        </aside>
        <p>
          A [=powerful feature=] is identified by its <dfn class="export" data-dfn-for=
          "powerful feature">name</dfn>, which is a string literal (e.g., "geolocation").
        </p>
        <p>
          The user agent tracks which <a>powerful features</a> the user has [=permission=] to use
          via the [=environment settings object=].
        </p>
        <section>
          <h3>
            Aspects
          </h3>
          <p>
            Each <a>powerful feature</a> can define zero or more additional <dfn data-dfn-for=
            "powerful feature">aspects</dfn>. An aspect is defined as WebIDL [=dictionary=] that
            [=dictionary/inherits=] from {{PermissionDescriptor}} and serves as a WebIDL
            interface's [=powerful feature/permission descriptor type=].
          </p>
          <aside class="example" title="Defining your own permission descriptor type">
            <p>
              A hypothetical [=powerful feature=] "food detector API" has two [=powerful
              feature/aspects=] that allow sensing taste and smell. So, a specification would
              define a new WebIDL interface that [=dictionary/inherits=] {{PermissionDescriptor}}:
            </p>
            <pre>
              dictionary SensesPermissionDescriptor : PermissionDescriptor {
                boolean canSmell = false;
                boolean canTaste = false;
              };
            </pre>
            <p>
              Which would then be queried via the API in the following way:
            </p>
            <pre class="js">
              // Check if the "senses" powerful feature is allowed to smell things
              const status = await navigator.permissions.query({
                name: "senses",
                canSmell: true,
              });
              // Do something interesting with the status.
            </pre>
            <p>
              A user can restrict the "senses" powerful feature to only "taste", in which case the
              {{PermissionStatus}}'s {{PermissionStatus/state}} above would be
              {{PermissionState/"denied"}} .
            </p>
          </aside>
        </section>
      </section>
      <section>
        <h3>
          Permissions task source
        </h3>
        <p>
          The <dfn>permissions task source</dfn> is a [=task source=] used to perform
          permissions-related [=tasks=] in this specification.
        </p>
      </section>
    </section>
    <section>
      <h2>
        Specifying a powerful feature
      </h2>
      <p>
        When a conforming [=specification=] <dfn class="export">specifies a powerful feature</dfn>
        it:
      </p>
      <ol>
        <li>MUST give the [=powerful feature=] a [=powerful feature/name=] in the form of a [=ascii
        lowercase=] string.
        </li>
        <li>MAY define a [=powerful feature/permission descriptor type=] that inherits from
        {{PermissionDescriptor}}.
        </li>
        <li>MAY define zero or more [=powerful feature/aspects=].
        </li>
        <li>MAY override the algorithms and types given below if the defaults are not suitable for
        a particular [=powerful feature=].
        </li>
        <li>MUST register the [=powerful feature=] in the [[[permissions-registry]]].
        </li>
      </ol>
      <p class="advisement">
        Registering the newly specified [=powerful features=] in the [[[permissions-registry]]]
        gives this Working Group an opportunity to provide feedback and check that integration with
        this specification is done effectively.
      </p>
      <dl>
        <dt>
          A <dfn data-dfn-for="powerful feature" class="export">permission descriptor type</dfn>:
        </dt>
        <dd>
          <p>
            {{PermissionDescriptor}} or one of its subtypes. If unspecified, this defaults to
            {{PermissionDescriptor}}.
          </p>
          <p>
            The feature can define a <a href=
            "https://en.wikipedia.org/wiki/Partially_ordered_set">partial order</a> on descriptor
            instances. If |descriptorA| is <dfn class="export" data-dfn-for=
            "PermissionDescriptor">stronger than</dfn> |descriptorB|, then if |descriptorA|'s
            <a>permission state</a> is {{PermissionState/"granted"}}, |descriptorB|'s <a>permission
            state</a> must also be {{PermissionState/"granted"}}, and if |descriptorB|'s
            <a>permission state</a> is {{PermissionState/"denied"}}, |descriptorA|'s <a>permission
            state</a> must also be {{PermissionState/"denied"}}.
          </p>
          <aside class="example" id="example-stronger-than" title=
          "A permission descriptor that defines a partial order">
            <p>
              <code>{name: "midi", sysex: true}</code> ("midi-with-sysex") is
              [=PermissionDescriptor/stronger than=] <code>{name: "midi", sysex: false}</code>
              ("midi-without-sysex"), so if the user denies access to midi-without-sysex, the UA
              must also deny access to midi-with-sysex, and similarly if the user grants access to
              midi-with-sysex, the user agent must also grant access to midi-without-sysex.
            </p>
          </aside>
        </dd>
        <dt>
          <dfn data-dfn-for="powerful feature" class="export">permission state constraints</dfn>:
        </dt>
        <dd>
          Constraints on the values that the user agent can return as a descriptor's <a>permission
          state</a>. Defaults to no constraints beyond the user's intent.
        </dd>
        <dt>
          <dfn data-dfn-for="powerful feature" class="export">extra permission data type</dfn>:
        </dt>
        <dd>
          <p>
            Some <a>powerful features</a> have more information associated with them than just a
            {{PermissionState}}. Each of these features defines an [=powerful feature/extra
            permission data type=].
          </p>
          <p class="note" data-cite="mediacapture-streams ECMAScript">
            For example, {{MediaDevices/getUserMedia()}} needs to determine <em>which</em> cameras
            the user has granted permission to access.
          </p>
          <p>
            If a {{DOMString}} |name| names one of these features, then |name|'s <dfn data-dfn-for=
            "powerful feature" class="export">extra permission data</dfn> for an optional
            <a>environment settings object</a> |settings| is the result of the following algorithm:
          </p>
          <ol class="algorithm">
            <li>If |settings| wasn't passed, set it to the [=current settings object=].
            </li>
            <li>If there was a previous invocation of this algorithm with the same |name| and
            |settings|, returning |previousResult|, and the user agent has not received <a>new
            information about the user's intent</a> since that invocation, return |previousResult|.
            </li>
            <li>Return the instance of |name|'s [=powerful feature/extra permission data type=]
            that matches the UA's impression of the user's intent, taking into account any
            [=powerful feature/extra permission data constraints=] for |name|.
            </li>
          </ol>
          <p>
            If specified, the [=powerful feature/extra permission data=] algorithm is usable for
            this feature.
          </p>
        </dd>
        <dt>
          Optional <dfn data-dfn-for="powerful feature" class="export">extra permission data
          constraints</dfn>:
        </dt>
        <dd>
          Constraints on the values that the user agent can return as a [=powerful feature=]'s
          [=powerful feature/extra permission data=]. Defaults to no constraints beyond the user's
          intent.
        </dd>
        <dt>
          A <dfn data-dfn-for="powerful feature" class="export">permission result type</dfn>:
        </dt>
        <dd>
          {{PermissionStatus}} or one of its subtypes. If unspecified, this defaults to
          {{PermissionStatus}}.
        </dd>
        <dt>
          A <dfn data-dfn-for="powerful feature" class="export">permission query algorithm</dfn>:
        </dt>
        <dd>
          <p>
            Takes an instance of the [=powerful feature/permission descriptor type=] and a new or
            existing instance of the [=powerful feature/permission result type=], and updates the
            [=powerful feature/permission result type=] instance with the query result. Used by
            {{Permissions}}' {{Permissions/query(permissionDesc)}} method and the
            [=`PermissionStatus` update steps=]. If unspecified, this defaults to the <a>default
            permission query algorithm</a>.
          </p>
          <p>
            The <dfn data-export="">default permission query algorithm</dfn>, given a
            {{PermissionDescriptor}} <var>permissionDesc</var> and a {{PermissionStatus}} |status|,
            runs the following steps:
          </p>
          <ol class="algorithm">
            <li>Set <code>|status|</code>'s {{PermissionStatus/state}} to |permissionDesc|'s
            <a>permission state</a>.
            </li>
          </ol>
        </dd>
        <dt>
          A <dfn data-dfn-for="powerful feature" class="export">permission key type</dfn>:
        </dt>
        <dd>
          <p>
            The type of [=permission key=] used by the feature. Defaults to [=origin=]. A feature
            that specifies a custom [=powerful feature/permission key type=] MUST also specify a
            [=powerful feature/permission key generation algorithm=].
          </p>
        </dd>
        <dt>
          A <dfn data-dfn-for="powerful feature" class="export">permission key generation
          algorithm</dfn>:
        </dt>
        <dd>
          <p>
            Takes an [=environment settings object=], and returns a new [=permission key=]. If
            unspecified, this defaults to the <a>default permission key generation algorithm</a>. A
            feature that specifies a custom [=powerful feature/permission key generation
            algorithm=] MUST also specify a [=powerful feature/permission key comparison
            algorithm=].
          </p>
          <p>
            The <dfn class="export">default permission key generation algorithm</dfn>, given an
            [=environment settings object=] |settings|, runs the following steps:
          </p>
          <ol class="algorithm">
            <li>Return |settings|'s [=environment/top-level origin=].
            </li>
          </ol>
          <aside class="note" title="Permission Delegation">
            Most powerful features grant permission to the top-level origin and delegate access to
            the requesting document via [[[Permissions-Policy]]]. This is known as permission
            delegation.
          </aside>
        </dd>
        <dt>
          A <dfn data-dfn-for="powerful feature" class="export">permission key comparison
          algorithm</dfn>:
        </dt>
        <dd>
          <p>
            Takes two [=permission keys=] and returns a [=boolean=] that shows whether the two keys
            are equal. If unspecified, this defaults to the <a>default permission key comparison
            algorithm</a>.
          </p>
          <p>
            The <dfn class="export">default permission key comparison algorithm</dfn>, given
            [=permission keys=] |key1| and |key2|, runs the following steps:
          </p>
          <ol class="algorithm">
            <li>Return |key1| is [=same origin=] with |key2|.
            </li>
          </ol>
        </dd>
        <dt>
          A <dfn data-dfn-for="powerful feature" class="export">permission revocation
          algorithm</dfn>:
        </dt>
        <dd>
          <p>
            Takes no arguments. Updates any other parts of the implementation that need to be kept
            in sync with changes in the results of <a>permission states</a> or [=powerful
            feature/extra permission data=].
          </p>
          <p>
            If unspecified, this defaults to running [=react to the user revoking permission=].
          </p>
        </dd>
        <dt>
          A permission [=permission/lifetime=]:
        </dt>
        <dd>
          <p>
            Specifications that define one or more [=powerful features=] SHOULD suggest a
            [=permission=] [=permission/lifetime=] that is best suited for the particular feature.
            Some guidance on determining the lifetime of a permission is noted below, with a strong
            emphasis on user privacy. If no [=permission/lifetime=] is specified, the user agent
            provides one.
          </p>
          <p>
            When the permission [=permission/lifetime=] expires for an origin:
          </p>
          <ol>
            <li>Set the permission back to its default [=permission state=] (e.g., by setting it
            back to "[=permission/prompt=]").
            </li>
            <li>For each |browsing context| associated with the origin (if any), [=queue a global
            task=] on the [=permissions task source=] with the |browsing context|'s [=global
            object=] to run the [=powerful feature/permission revocation algorithm=].
            </li>
          </ol>
          <aside class="note" title="Determining the lifetime of a permission">
            <p>
              For particularly privacy-sensitive [=features=], such as [[[GETUSERMEDIA]]], which
              can provide a web application access to a user's camera and microphone, some user
              agents expire a permission [=permission/grant=] as soon as a browser tab is closed or
              [=navigated=]. For other features, like the [[[Geolocation]]], user agents are known
              to offer a choice of only granting the permission for the session, or for one day.
              Others, like the [[[Notifications]]] and [[[push-api]]] APIs, remember a user's
              decision indefinitely or until the user manually revokes the permission. Note that
              permission [=permission/lifetimes=] can vary significantly between user agents.
            </p>
            <p>
              Finding the right balance for the lifetime of a permission requires a lot of thought
              and experimentation, and often evolves over a period of years. Implementers are
              encouraged to work with their UX security teams to find the right balance between
              ease of access to a [=powerful feature=] (i.e., reducing the number of permission
              prompts), respecting a user's privacy, and making users aware when a web application
              is making use of a particular powerful feature (e.g., via some visual or auditory UI
              indicator).
            </p>
            <p>
              If you are unsure about what [=permission/lifetime=] to suggest for a [=powerful
              feature=], please contact the <a href="https://www.w3.org/Privacy/IG/">Privacy
              Interest Group</a> for guidance.
            </p>
          </aside>
        </dd>
        <dt>
          <dfn class="export" data-dfn-for="powerful feature">Default permission state</dfn>:
        </dt>
        <dd>
          <p>
            An {{PermissionState}} value that serves as a [=permission=]'s [=permission/default
            state=] of a [=powerful feature=].
          </p>
          <p>
            If not specified, the [=permission=]'s [=permission/default state=] is
            {{PermissionState/"prompt"}}.
          </p>
        </dd>
      </dl>
      <p>
        A <dfn class="export">default powerful feature</dfn> is a <a>powerful feature</a> with all
        of the above types and algorithms defaulted.
      </p>
    </section>
    <section>
      <h2>
        Algorithms to interface with permissions
      </h2>
      <section data-cite="permissions-policy">
        <h3 id="reading-current-states">
          Reading the current permission state
        </h3>
        <p>
          To <dfn class="export" data-lt="getting the current permission state">get the current
          permission state</dfn>, given a [=powerful feature/name=] |name| and an optional
          [=environment settings object=] |settings|, run the following steps. This algorithm
          returns a {{PermissionState}} enum value.
        </p>
        <ol class="algorithm">
          <li>Let |descriptor:PermissionDescriptor| be a newly-created {{PermissionDescriptor}}
          with {{PermissionDescriptor/name}} initialized to |name|.
          </li>
          <li>Return the [=permission state=] of |descriptor| with |settings|.
          </li>
        </ol>
        <p>
          A |descriptor|'s <dfn class="export">permission state</dfn>, given an optional
          <a>environment settings object</a> |settings| is the result of the following algorithm.
          It returns a {{PermissionState}} enum value:
        </p>
        <ol class="algorithm">
          <li>If |settings| wasn't passed, set it to the [=current settings object=].
          </li>
          <li>If |settings| is a [=non-secure context=], return {{PermissionState/"denied"}}.
          </li>
          <li>Let |feature| be |descriptor|'s {{PermissionDescriptor/name}}.
          </li>
          <li>If there exists a [=policy-controlled feature=] for |feature| and |settings|'
          [=relevant global object=] has an [=associated `Document`=] run the following step:
            <ol class="algorithm">
              <li>Let <var>document</var> be |settings|' [=relevant global object=]'s [=associated
              `Document`=].
              </li>
              <li>If <var>document</var> is not <a>allowed to use</a> |feature|, return
              {{PermissionState/"denied"}}.
              </li>
            </ol>
          </li>
          <li>Let |key| be the result of [=powerful feature/permission key generation
          algorithm|generating a permission key=] for |descriptor| with |settings|.
          </li>
          <li>Let |entry| be the result of [=get a permission store entry|getting a permission
          store entry=] with |descriptor| and |key|.
          </li>
          <li>If |entry| is not null, return a {{PermissionState}} enum value from |entry|'s
          [=permission store entry/state=].
          </li>
          <li>Return the {{PermissionState}} enum value that represents the permission state of
          |feature|, taking into account any [=powerful feature/permission state constraints=] for
          |descriptor|'s {{PermissionDescriptor/name}}.
          </li>
        </ol>
        <p>
          As a shorthand, a {{DOMString}} |name|'s <a>permission state</a> is the <a>permission
          state</a> of a {{PermissionDescriptor}} with its {{PermissionDescriptor/name}} member set
          to |name|.
        </p>
      </section>
      <section>
        <h3 id="requesting-more-permission">
          Requesting permission to use a powerful feature
        </h3>
        <p>
          To <dfn data-lt="request permission to use|requesting permission to use" class=
          "export">request permission to use</dfn> a |descriptor:PermissionDescriptor|, the user
          agent must perform the following steps. This algorithm returns either
          {{PermissionState/"granted"}} or {{PermissionState/"denied"}}.
        </p>
        <ol class="algorithm">
          <li>Let <var>current state</var> be the |descriptor|'s <a>permission state</a>.
          </li>
          <li>If <var>current state</var> is not {{PermissionState/"prompt"}}, return <var>current
          state</var> and abort these steps.
          </li>
          <li>Ask the user for <a>express permission</a> for the calling algorithm to use the
          <a>powerful feature</a> described by |descriptor|.
          </li>
          <li>If the user gives [=express permission=] to use the powerful feature, set |current
          state| to {{PermissionState/"granted"}}; otherwise to {{PermissionState/"denied"}}. The
          user's interaction may provide <a>new information about the user's intent</a> for the
          [=origin=].
            <p class="note">
              This is intentionally vague about the details of the permission UI and how the user
              agent infers user intent. User agents should be able to explore lots of UI within
              this framework.
            </p>
          </li>
          <li>Let |key| be the result of [=powerful feature/permission key generation
          algorithm|generating a permission key=] with the [=current settings object=].
          </li>
          <li>[=Queue a task=] on the [=current settings object=]'s [=environment settings
          object/responsible event loop=] to [=set a permission store entry=] with |descriptor|,
          |key|, and |current state|.
          </li>
          <li>Return |current state|.
          </li>
        </ol>
        <p>
          As a shorthand, <a>requesting permission to use</a> a {{DOMString}} |name|, is the same
          as <a>requesting permission to use</a> a {{PermissionDescriptor}} with its
          {{PermissionDescriptor/name}} member set to |name|.
        </p>
      </section>
      <section>
        <h3>
          Prompt the user to choose
        </h3>
        <p>
          To <dfn data-lt="prompt the user to choose|prompting the user to choose" class=
          "export">prompt the user to choose</dfn> one or more |options| associated with a given
          |descriptor:PermissionDescriptor| and an optional <a>boolean</a> |allowMultiple:boolean|
          (default false), the user agent must perform the following steps. This algorithm returns
          either {{PermissionState/"denied"}} or the user's selection.
        </p>
        <ol class="algorithm">
          <li>If |descriptor|'s <a>permission state</a> is {{PermissionState/"denied"}}, return
          {{PermissionState/"denied"}} and abort these steps.
          </li>
          <li>If |descriptor|'s <a>permission state</a> is {{PermissionState/"granted"}}, the user
          agent may return one (or more if |allowMultiple| is true) of |options| chosen by the user
          and abort these steps. If the user agent returns without prompting, then subsequent
          <a data-lt="prompt the user to choose">prompts for the user to choose</a> from the same
          set of options with the same |descriptor| must return the same option(s), unless the user
          agent receives <a>new information about the user's intent</a>.
          </li>
          <li>Ask the user to choose one or more |options| or deny permission, and wait for them to
          choose:
            <ol>
              <li>If the calling algorithm specified extra information to include in the prompt,
              include it.
              </li>
              <li>If |allowMultiple| is false, restrict selection to a single item from |options|;
              otherwise, any number may be selected by the user.
              </li>
            </ol>
          </li>
          <li>If the user chose one or more options, return them; otherwise return
          {{PermissionState/"denied"}}.
            <p class="note">
              This is intentionally vague about the details of the permission UI and how the user
              agent infers user intent. User agents should be able to explore lots of UI within
              this framework.
            </p>
          </li>
        </ol>
        <p>
          As a shorthand, <a>prompting the user to choose</a> from options associated with a
          {{DOMString}} |name|, is the same as <a>prompting the user to choose</a> from those
          options associated with a {{PermissionDescriptor}} with its {{PermissionDescriptor/name}}
          member set to |name|.
        </p>
      </section>
      <section>
        <h3 id="reacting-to-revocation">
          Reacting to users revoking permission
        </h3>
        <p>
          When the user agent learns that the user no longer intends to grant permission to use a
          feature described by the {{PermissionDescriptor}} |descriptor| in the context described
          by the [=permission key=] |key|, <dfn>react to the user revoking permission</dfn> by
          running these steps:
        </p>
        <ol class="algorithm">
          <li>Run |descriptor|'s {{PermissionDescriptor/name}}'s [=powerful feature/permission
          revocation algorithm=].
          </li>
          <li>[=Remove a permission store entry=] with |descriptor| and |key|.
          </li>
        </ol>
      </section>
    </section>
    <section>
      <h2>
        Permissions API
      </h2>
      <section>
        <h3 id="navigator-and-workernavigator-extension">
          Extensions to the `Navigator` and `WorkerNavigator` interfaces
        </h3>
        <pre class="idl">
          [Exposed=(Window)]
          partial interface Navigator {
            [SameObject] readonly attribute Permissions permissions;
          };

          [Exposed=(Worker)]
          partial interface WorkerNavigator {
            [SameObject] readonly attribute Permissions permissions;
          };
        </pre>
      </section>
      <section data-dfn-for="Permissions">
        <h3 id="permissions-interface">
          `Permissions` interface
        </h3>
        <pre class="idl">
          [Exposed=(Window,Worker)]
          interface Permissions {
            Promise&lt;PermissionStatus&gt; query(object permissionDesc);
          };

          dictionary PermissionDescriptor {
            required DOMString name;
          };
        </pre>
        <section>
          <h4 id="query-method">
            `query()` method
          </h4>
          <p>
            When the <dfn>query()</dfn> method is invoked, the <a>user agent</a> MUST run the
            following <dfn class="export">query a permission</dfn> algorithm, passing the parameter
            <var>permissionDesc</var>:
          </p>
          <ol class="algorithm">
            <li>If [=this=]'s [=relevant global object=] is a {{Window}} object, then:
              <ol>
                <li>If the [=current settings object=]'s <a>associated `Document`</a> is not
                [=Document/fully active=], return [=a promise rejected with=] an
                {{"InvalidStateError"}} {{DOMException}}.
                </li>
              </ol>
            </li>
            <li>Let |rootDesc| be the object |permissionDesc| refers to, <a>converted to an IDL
            value</a> of type {{PermissionDescriptor}}.
            </li>
            <li>If the conversion [=exception/throws=] an [=exception=], return <a>a promise
            rejected with</a> that exception.
            </li>
            <li>If |rootDesc|["{{PermissionDescriptor/name}}"] is not supported, return [=a promise
            rejected with=] a {{TypeError}}.
              <aside class="note" title="Why is this not an enum?">
                <p>
                  This is deliberately designed to work the same as WebIDL's [=enumeration=]
                  (`enum`) and implementers are encouraged to use their own custom `enum` here. The
                  reason this is not an enum in the specification is that browsers vary greatly in
                  the powerful features they support. Using a {{DOMString}} to identify a powerful
                  feature gives implementers the freedom to pick and choose which of the powerful
                  features from the [[[permissions-registry]]] they wish to support.
                </p>
              </aside>
            </li>
            <li>Let |typedDescriptor| be the object |permissionDesc| refers to, <a>converted to an
            IDL value</a> of |rootDesc|'s {{PermissionDescriptor/name}}'s [=powerful
            feature/permission descriptor type=].
            </li>
            <li>If the conversion [=exception/throws=] an [=exception=], return <a>a promise
            rejected with</a> that exception.
            </li>
            <li>Let |promise:Promise| be [=a new promise=].
            </li>
            <li>Return |promise| and continue [=in parallel=]:
              <ol>
                <li>Let |status| be <a>create a `PermissionStatus`</a> with |typedDescriptor|.
                </li>
                <li>Let |query| be |status|'s {{PermissionStatus/[[query]]}} internal slot.
                </li>
                <li>Run |query|'s {{PermissionDescriptor/name}}'s [=powerful feature/permission
                query algorithm=], passing |query| and |status|.
                </li>
                <li>[=Queue a global task=] on the [=permissions task source=] with [=this=]'s
                [=relevant global object=] to [=resolve=] |promise| with |status|.
                </li>
              </ol>
            </li>
          </ol>
        </section>
      </section>
      <section data-dfn-for="PermissionStatus">
        <h3 id="permissionstatus-interface">
          `PermissionStatus` interface
        </h3>
        <pre class="idl">
          [Exposed=(Window,Worker)]
          interface PermissionStatus : EventTarget {
            readonly attribute PermissionState state;
            readonly attribute DOMString name;
            attribute EventHandler onchange;
          };

          enum PermissionState {
            "granted",
            "denied",
            "prompt",
          };
        </pre>
        <p>
          {{PermissionStatus}} instances are created with a <dfn>[[\query]]</dfn> internal slot,
          which is an instance of a feature's [=powerful feature/permission descriptor type=].
        </p>
        <p data-dfn-for="PermissionState">
          The "<dfn>granted</dfn>", "<dfn>denied</dfn>", and "<dfn>prompt</dfn>" enum values
          represent the concepts of [=permission/granted=], [=permission/denied=], and
          [=permission/prompt=] respectively.
        </p>
        <section>
          <h4>
            Creating instances
          </h4>
          <p>
            To <dfn class="export">create a `PermissionStatus`</dfn> for a given
            {{PermissionDescriptor}} |permissionDesc|:
          </p>
          <ol class="algorithm">
            <li>Let |name:DOMString| be |permissionDesc|'s {{PermissionDescriptor/name}}.
            </li>
            <li>Assert: The [=feature=] identified by |name| is supported by the user agent.
            </li>
            <li>Let |status:PermissionStatus| be a new instance of the [=powerful
            feature/permission result type=] identified by |name|:
              <ol>
                <li>Initialize |status|'s {{PermissionStatus/[[query]]}} internal slot to
                |permissionDesc|.
                </li>
                <li>Initialize |status|'s {{PermissionStatus/name}} to |name|.
                </li>
              </ol>
            </li>
            <li>Return |status|.
            </li>
          </ol>
        </section>
        <section>
          <h4>
            `name` attribute
          </h4>
          <p>
            The <dfn>name</dfn> attribute returns the value it was initialized to.
          </p>
        </section>
        <section>
          <h4>
            `state` attribute
          </h4>
          <p>
            The <dfn>state</dfn> attribute returns the latest value that was set on the current
            instance.
          </p>
        </section>
        <section>
          <h4>
            `onchange` attribute
          </h4>
          <p>
            The <dfn>onchange</dfn> attribute is an <a>event handler</a> whose corresponding
            <a>event handler event type</a> is <code>change</code>.
          </p>
          <p id="PermissionStatus-update">
            Whenever the [=user agent=] is aware that the state of a {{PermissionStatus}} instance
            |status| has changed, it asynchronously runs the <dfn>`PermissionStatus` update
            steps</dfn>:
          </p>
          <ol class="algorithm">
            <li>If [=this=]'s [=relevant global object=] is a {{Window}} object, then:
              <ol>
                <li>Let |document| be |status|'s [=relevant global object=]'s [=associated
                Document=].
                </li>
                <li>If |document| is null or |document| is not [=Document/fully active=], terminate
                this algorithm.
                </li>
              </ol>
            </li>
            <li>Let |query| be |status|'s {{PermissionStatus/[[query]]}} internal slot.
            </li>
            <li>Run |query|'s {{PermissionDescriptor/name}}'s [=powerful feature/permission query
            algorithm=], passing |query| and |status|.
            </li>
            <li>
              <a>Queue a task</a> on the [=permissions task source=] to <a>fire an event</a> named
              <code>change</code> at |status|.
            </li>
          </ol>
        </section>
        <section>
          <h4 id="permissionstatus-gc">
            Garbage collection
          </h4>
          <p>
            A {{PermissionStatus}} object MUST NOT be garbage collected if it has an [=event
            listener=] whose type is `change`.
          </p>
        </section>
      </section>
    </section>
    <section id="conformance">
      <p>
        Two classes of product can claim conformance to this specification: [=user agents=] and
        other <dfn>specifications</dfn> (i.e., a technical report that [=specifies a powerful
        feature=] in a manner that conforms to the requirements of this specification).
      </p>
    </section>
    <section class="informative appendix">
      <h2 id="relationship-to-permissions-policy">
        Relationship to the Permissions Policy specification
      </h2>
      <p>
        Although both this specification and the [[[Permissions-Policy]]] specification deal with
        "permissions", each specification serves a distinct purpose in the platform. Nevertheless,
        the two specifications do explicitly overlap.
      </p>
      <p>
        On the one hand, this specification exclusively concerns itself with [=powerful features=]
        whose access is managed through a user-agent mediated permissions UI (i.e., permissions
        where the user gives express consent before that feature can be used, and where the user
        retains the ability to deny that permission at any time for any reason). These powerful
        features are registered in the [[[permissions-registry]]].
      </p>
      <p>
        On the other hand, the [[[Permissions-Policy]]] specification allows developers to
        selectively enable and disable policy-controlled features through a "[=Document/permissions
        policy=]" (be it a HTTP header or the [^iframe/allow^] attribute). In that sense, the
        Permissions Policy subsumes this specification in that [[[Permissions-Policy]]] governs
        whether a feature is available at all, independently of this specification. These
        policy-controlled features are also registered in the [[[permissions-registry]]].
      </p>
      <p>
        A powerful feature that has been disabled by the [[[Permissions-Policy]]] specification
        always has its [=permission state=] reflected as "denied" by this specification. This
        occurs because [=getting the current permission state|reading the current permission=]
        relies on [[HTML]]'s "[=allowed to use=]" check, which itself calls into the
        [[[Permissions-Policy]]] specification. Important to note here is the sharing of permission
        names across both specifications. Both this specification and the [[[Permissions-Policy]]]
        specification rely on other specifications defining the names of the permission and
        [=powerful feature/name=], and they are usually named the same thing (e.g., "geolocation"
        of the [[[Geolocation]]], and so on).
      </p>
      <p>
        Finally, it's not possible for a powerful feature to ever become "granted" through any
        means provided by the [[[Permissions-Policy]]] specification. The only way that a
        [=powerful feature=] can be [=permission/granted=] is by the user giving [=express
        permission=] or by some user agent policy.
      </p>
    </section>
    <section data-cite="webdriver">
      <h2 id="automation">
        Automated testing
      </h2>
      <p>
        For the purposes of user-agent automation and application testing, this document defines
        the following <a>extension commands</a> for the [[WebDriver]] specification. It is OPTIONAL
        for a user agent to support <a>extension commands</a> commands.
      </p>
      <pre class='idl'>
        dictionary PermissionSetParameters {
          required PermissionDescriptor descriptor;
          required PermissionState state;
        };
      </pre>
      <section>
        <h3 id="set-permission-command">
          Set Permission
        </h3>
        <table>
          <tbody>
            <tr>
              <th>
                HTTP Method
              </th>
              <th>
                <a data-lt="extension command URI template">URI Template</a>
              </th>
            </tr>
            <tr>
              <td>
                POST
              </td>
              <td>
                /session/{session id}/permissions
              </td>
            </tr>
          </tbody>
        </table>
        <p>
          The <dfn class="export" data-dfn-for="extension commands">Set Permission</dfn>
          <a>extension command</a> simulates user modification of a {{PermissionDescriptor}}'s
          <a>permission state</a>.
        </p>
        <p>
          The <a>remote end steps</a> are:
        </p>
        <ol>
          <li>Let |parameters| be the |parameters| argument, <a>converted to an IDL value</a> of
          type {{PermissionSetParameters}}. If this throws an exception, return an [=invalid
          argument=] [=error=].
          </li>
          <li>Let |rootDesc| be |parameters|.{{PermissionSetParameters/descriptor}}.
          </li>
          <li>Let |typedDescriptor| be the object |rootDesc| refers to, <a>converted to an IDL
          value</a> of <code>|rootDesc|.{{PermissionDescriptor/name}}</code>'s [=powerful
          feature/permission descriptor type=]. If this throws an exception, return a [=invalid
          argument=] [=error=].
          </li>
          <li>If |parameters|.{{PermissionSetParameters/state}} is an inappropriate <a>permission
          state</a> for any implementation-defined reason, return a [=invalid argument=] [=error=].
            <p class="note">
              For example, <a>user agents</a> that define the "midi" <a>powerful feature</a> as
              "always on" may choose to reject a command to set the <a>permission state</a> to
              {{PermissionState/"denied"}} at this step.
            </p>
          </li>
          <li>Let |settings| be the [=current settings object=].
          </li>
          <li>Let |targets| be a <a>list</a> containing all <a>environment settings objects</a>
          whose [=environment settings object/origin=] is the <a data-lt="same origin">same</a> as
          the [=environment settings object/origin=] of |settings|.
          </li>
          <li>Let |tasks| be an empty <a>list</a>.
          </li>
          <li>For each <a>environment settings object</a> |target| in |targets|:
            <ol>
              <li>
                <a>Queue a task</a> |task| on the [=permissions task source=] of |target|'s
                [=relevant settings object=]'s [=environment settings object/global object=]'s
                [=Window/browsing context=] to perform the following step:
                <ol>
                  <li>Interpret |parameters|.{{PermissionSetParameters/state}} as if it were the
                  result of an invocation of <a>permission state</a> for |typedDescriptor| with the
                  argument |target| made at this moment.
                  </li>
                </ol>
              </li>
              <li>[=list/Append=] |task| to |tasks|.
              </li>
            </ol>
          </li>
          <li>Wait for all <a>tasks</a> in |tasks| to have executed.
          </li>
          <li>Return <a>success</a> with data `null`.
          </li>
        </ol>
        <aside class="example" title="Setting a permission via WebDriver">
          <p>
            To [=extension commands/set permission=] for `{name: "midi", sysex: true}` of the
            [=current settings object=] of the <a>session</a> with ID 23 to "`granted`", the local
            end would POST to `/session/23/permissions` with the body:
          </p>
          <pre class="lang-json">
          {
            "descriptor": {
              "name": "midi",
              "sysex": true
            },
            "state": "granted"
          }
          </pre>
        </aside>
      </section>
    </section>
    <section class="appendix">
      <h2 id="privacy-considerations">
        Privacy considerations
      </h2>
      <p>
        An adversary could use a <a>permission state</a> as an element in creating a "fingerprint"
        corresponding to an end-user. Although an adversary can already determine the state of a
        permission by actually using the API, that often leads to a UI prompt being presented to
        the end-user (if the permission was not already [=permission/granted=]). Even though this
        API doesn't expose new fingerprinting information to websites, it makes it easier for an
        adversary to have discreet access to this information.
      </p>
      <p>
        A user agent SHOULD provide a means for the user to review, update, and reset the
        [=permission=] [=permission/state=] of [=powerful features=] associated with an [=origin=].
      </p>
    </section>
    <section id="security-considerations">
      <h2>
        Security considerations
      </h2>
      <p>
        There are no documented security considerations at this time. Readers are instead
        encouraged to read section [[[#privacy-considerations]]].
      </p>
    </section>
    <section id="idl-index"></section>
    <section class="appendix informative">
      <h2 class="no-num">
        Acknowledgments
      </h2>
      <p>
        The editors would like to thank Adrienne Porter Felt, Anne van Kesteren, Domenic Denicola,
        Jake Archibald and Wendy Seltzer for their help with the API design and editorial work.
      </p>
    </section>
  </body>
</html>