Powerful features are browser features (geolocation, camera, microphone ...) that can be accessed with JavaScript API and may require a permission granted by the user. These features can have a high impact on privacy and user security thus they should only be used if they are really necessary to implement the critical parts of an application.
This rule highlights intrusive permissions when requested with the future standard (but currently experimental) web browser query API and specific APIs related to the permission. It is highly recommended to customize this rule with the permissions considered as intrusive in the context of the web application.
You are at risk if you answered yes to any of those questions.
When using geolocation API, Firefox for example retrieves personal information like nearby wireless access points and IP address and sends it to the default geolocation service provider, Google Location Services:
navigator.permissions.query({name:"geolocation"}).then(function(result) {
}); // Sensitive: geolocation is a powerful feature with high privacy concerns
navigator.geolocation.getCurrentPosition(function(position) {
console.log("coordinates x="+position.coords.latitude+" and y="+position.coords.longitude);
}); // Sensitive: geolocation is a powerful feature with high privacy concerns
If geolocation is required, always explain to the user why the application needs it and prefer requesting an approximate location when possible:
<html>
<head>
<title>
Retailer website example
</title>
</head>
<body>
Type a city, street or zip code where you want to retrieve the closest retail locations of our products:
<form method=post>
<input type=text value="New York"> <!-- Compliant -->
</form>
</body>
</html>