Websites are going to force users to click "allow."
That's a bit strong. A website can't force a user to anything. The point is that to use the feature nefariously without the user knowing it's happening is relatively easy to prevent by putting the feature behind a permissions flag. If the user actively wants a website to be able to make connections they can say yes.
If the user doesn't know then they ought to be saying no, but really they won't and they'll say yes if the warning isn't scary enough. The browser vendors could also do things like throttling connections or asking for permission again if things look too weird.
Most people I know just click "yes" on all popups until the website starts working. In between every other website asking for notification/location permissions and a huge pile of GDPR popups (which are actively hostile towards users that attempt to opt-out), we've managed to condition web users into routinely agreeing to give up their privacy and security. Hooray.
> Most people I know just click "yes" on all popups until the website starts working
This. Defaults matter. You cannot introduce a privacy sensitive feature just with a permission dialog box. You must expect that most users just click through, and continue to protect those "dumb" users.
That's a bit strong. A website can't force a user to anything. The point is that to use the feature nefariously without the user knowing it's happening is relatively easy to prevent by putting the feature behind a permissions flag. If the user actively wants a website to be able to make connections they can say yes.
If the user doesn't know then they ought to be saying no, but really they won't and they'll say yes if the warning isn't scary enough. The browser vendors could also do things like throttling connections or asking for permission again if things look too weird.