Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suggest adding a PositionError entry for requests denied because of origin #11

Closed
yell0wd0g opened this issue Mar 13, 2017 · 1 comment
Labels
enhancement security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.

Comments

@yell0wd0g
Copy link
Member

From https://bugs.chromium.org/p/chromium/issues/detail?id=630305:

Refer to https://developers.google.com/web/updates/2016/04/geolocation-on-secure-contexts-only

Since Chrome 50, HTTP origins are not allowed to access (among other things) the geolocation API. The above page provides rationale on why this was done, as well as a method to detect if geolocation has been disabled by the browser due to an insecure origin. Unfortunately, as the page itself notes, this detection method is "quite brittle", using a hard-coded English-language string to determine whether the user or the browser blocked the geolocation request. A far better option would be to return a discrete error code that allows developers to distinguish this case.

I suggest an additional field on the PositionError interface, something like PERMISSION_DENIED_INSECURE_ORIGIN = 4. Alternatively the navigator.geolocation property could be undefined on insecure origins (because let's face it, if the API is inaccessible due to browser security restrictions, it might as well not be there at all). Either way, this would give developers a sure way to know that they cannot depend on geolocation being available.

@plehegar plehegar added enhancement security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. labels Nov 20, 2017
@reillyeon
Copy link
Member

This was resolved by #34.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.
Projects
None yet
Development

No branches or pull requests

3 participants