It can be more sinister. Although I am sure the other answers are right in some circumstances, I was curious a while ago, so I actually clicked one.

Whether you click allow or deny, it shot off a network request to a third party domain. This lets the third party know your browser's user agent, and if they have an exploit for your browser they will send a payload that compromises the browser with the intent of installing an adware extension.

It failed to install on the machine I made for it (Ubuntu18/Chrome) but it did manage to navigate me to an advert from the click.

But any click can do that, right? No need for it to be a fake Allow/Deny prompt.

The best I can think of is that it does 2 things:

1. Preserves the "true" allow/deny prompt for a time when the user will allow.

2. Lulls the user into a sense of security. The page is nice and/or their browser will ask about anything the page tries to do.

My guess is something to do with needing to have a user prompt certain types of cross site javascript actions.

It also needs to seem legitimate so people click it but don't report it.

If the user says no to the real dialog, you can never bring up the real dialog again.

Sites with fake dialogs in my experience ask again the next time you open the page.

It’s the same reason many iPhone apps implement their own dialogues to ask about allowing notifications. If the user chooses ‘Deny’ in the system-provided one, the app can never ask again and the only way to turn notifications on later is to have the user go digging around in the Settings app, which few people will bother to do.

I take great pleasure in choosing ‘Allow’ in those custom dialogues and then ‘Deny’ when the native one pops up immediately afterwards.

I would leave them alone entirely, as you can see from my comment they are actually sometimes attempts to compromise your browser.

Oh absolutely, I was referring only to native phone apps.