Thanks for investigating, @tjr!
Prior to the permission prompt, the WebXR API limits information about the VR devices to the minimal needed to present an "Enter VR" button on the page. This is exposed with
There is also an event,
navigator.xr.ondevicechange, indicating that the available capabilities may have changed:
The only information returned is a boolean for each kind of session that can be created. Currently, this is limited to "inline" and "immersive-vr".
"inline" would always be enabled, as it does not require VR or AR specific hardware.
"immersive-vr" would be enabled any time there is VR hardware available.
In order to get more details (eg, the particular kind of hardware, its display resolution, and spatial tracking features), the page would need to call the
navigator.xr.requestSession function, which would trigger this permission prompt.
Does this sound reasonable, in the case where
privacy.resistfingerprinting is enabled?
If so, then we can keep this enabled when
privacy.resistfingerprinting is active :-)