Maybe your right. I looked quickly but didn't find anything. Is there no standard out there stating, for example, that JavaScript MUST NOT be allowed unrestricted access to local storage or that the location API MUST request permission? These are just accepted as obvious best practices?