This blows my mind. What good reason is there for giving javascript such permissions by default? This should at the minimum trigger an explicit permission request from the user.