On 2016-10-22 9:32 AM, Richard Barnes wrote: > On Fri, Oct 21, 2016 at 8:59 PM, Chris Peterson <[email protected]> > wrote: > >> On 10/21/2016 3:11 PM, Tantek Çelik wrote: >> >>>> Does this mean that we'd be breaking one in 5 geolocation requests as a >>>>> result of this? That seems super high. :( >>>> >>> Agreed. For example, my understanding is that this will break >>> http://www.nextbus.com/ (and thus http://www.nextmuni.com/ ) location >>> awareness (useful for us SF folks), which is kind of essential for >>> having it tell you transit stops near you. -t >>> >> >> Indeed, the geolocation feature on nextbus.com is broken in Chrome. (The >> site shows a geolocation error message on first use.) >> >> Next Bus already has an HTTPS version of their site, but it is not the >> default and has some mixed-content warnings. For a site that uses >> geolocation as a core part of its service, I'm surprised they have let it >> stay broken in Chrome for six months. Chrome removed insecure geolocation >> in April 2016 and announced its deprecation in November 2015. > > > This is actually the bigger point than the telemetry point: The sites we > would break with this change have already been broken for six months in > Chrome and for four months in WebKit. This is not something where we > should be standing on principle and bravely being different from other > browsers; in fact quite the opposite.
I agree with the benefits of removing this API, and I understand the argument around compatibility with other browsers. But there is also the aspect of user pain caused by this, especially the way that Chrome has shipped it (by silently breaking the API.) Have we considered doing something here to help the user when we block this API? For example, we could check to see whether the site has a TLS version and suggest in a doorhanger that the user should switch to it and maybe provide a button for them to do that without them having to edit the URL (especially since we hide "http://"; in the non-secure top-level document case.) Or if there is no TLS version, perhaps we can put up a doorhanger explaining what happened, and link to a support article for more details. If we had a good way to collect this data, we could also have a UI to submit the site to Mozilla so that our webcompat team can try to reach out to the website and introduce them to Let's Encrypt? Cheers, Ehsan _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
