I wonder if website operators even *know* that their sites are constantly requesting access to people’s virtual reality devices. Why does @CNN want permission to use my Oculus? Why does @teespring? Who knows, they don’t say, they just pop up a request.
I found my ability to investigate this tweet was hampered by a few key problems: I do not own a VR headset and, despite an Apple knowledgebase article laying out the steps to get SteamVR working with Final Cut Pro, the SteamVR app appears to only be available for Windows. Also, it is unlikely that many people will see such a warning in the near future, as VR headset ownership remains pretty rare.
Nevertheless, I pulled copies of both the CNN and Teespring homepages and all linked files to take a look. I only found one file in common: a script powering and tracking Bing Ads on both sites. After deobfuscating the file, I did not find a reference to the WebXR API that would allow access to a VR headset. In short, I could not figure out where that request could be coming from.
Even so, it is extraordinary that some script — probably provided by a third party in a way that neither CNN nor Teespring can control — may request access to a user’s VR headset. I contend that functionality like this should not be available to websites at all. But, if it must, it ought to be referenced from the same domain space as the website and be explicitly activated by the user.
Update: As of April 30, Steam officially dropped VR support for MacOS.