On Fri, Oct 21, 2016 at 2:56 PM, Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote: > On 2016-10-21 3:49 PM, Richard Barnes wrote: >> The geolocation API allows web pages to request the user's geolocation, >> drawing from things like GPS on mobile, and doing WiFi / IP based >> geolocation on desktop. >> >> Due to the privacy risks associated with this functionality, I would like >> to propose that we restrict this functionality to secure contexts [1]. >> >> Our telemetry for geolocation is a little rough, but we can derive some >> upper bounds. According to telemetry from Firefox 49, the geolocation >> permissions prompt has been shown around 4.6M times [2], on about 3B page >> loads [3]. Around 21% of these requests were (1) from "http:" origins, and >> (2) granted by the user. So the average rate of permissions being granted >> to non-secure origins per pageload is 4.6M * 21% / 3B = 0.0319%. > > Does this mean that we'd be breaking one in 5 geolocation requests as a > result of this? That seems super high. :(
Agreed. For example, my understanding is that this will break http://www.nextbus.com/ (and thus http://www.nextmuni.com/ ) location awareness (useful for us SF folks), which is kind of essential for having it tell you transit stops near you. -t > Since the proposal in the bug is adding [SecureContext] to > Navigator.geolocation, have we also collected telemetry around which > properties and methods are accessed? Since another kind of breakage we > may encounter is code like |navigator.geolocation.getCurrentPosition()| > throwing an exception and breaking other parts of site scripts... > >> Access to geolocation from non-secure contexts is already disabled in >> Chrome [4] and WebKit [5]. >> >> Please send any comments on this proposal by Friday, October 28. >> >> Relevant bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1072859 >> >> [1] https://www.w3.org/TR/secure-contexts/ >> [2] https://mzl.la/2eeoWm9 >> [3] https://mzl.la/2eoiIAw >> [4] https://codereview.chromium.org/1530403002/ >> [5] https://trac.webkit.org/changeset/200686 >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
