This issue is a result of the PING review of w3cping/privacy-request#142

I appreciate that isSessionSupported is gated behind the xr-session-supported permission, which is a helpful step for ensuring compatibility with user agents that do not want to grant xr-session-supported automatically (in some or all cases).

However, I am concerned that there is no user activation requirement for the permission request. I worry that this will cause sites to expect the permission to be automatically granted on page load (as it is in large browsers currently) and so not handle the case where the permission is denied (or even prompted for).

Can the group explain more about why this decision was made? What would be lost to require the user activation (or other ways discouraging sites from assuming they'll be granted the permission automatically, on page load, and so not adequately handling and explaining to users whats happening in cases where the permission is not automatically granted?