- From: Luis Barguñó Jané <luisbargu@gmail.com>
- Date: Thu, 3 Aug 2017 17:25:42 +0200
- To: "Walter H." <Walter.H@mathemainzel.info>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Guilherme Hermeto <gui.hermeto@gmail.com>
- Cc: ietf-http-wg@w3.org
- Message-ID: <CAPA9heW9BYbUu+eQaKrixGZBp76OksdRNkS8Gew15vQ2Sn1Upw@mail.gmail.com>
I'm not proposing a new permission or setting. The idea is consolidating with the existing JS geolocation permission for a certain origin. Otherwise I agree this would create a new vector. An alternative version of this proposal through client hints would not even have the ability to ask for permission, and clients would only send the location to a site that has already permissions granted (through the JS api in the past). Geolocation-Request header would go away from the proposal. This means that if you go NoScript then you would not even be able to get a permission prompt ever from JS, so you'd never attach this Geolocation header. This way, it is not opening a new vector for attack. This new Geolocation header would only be sent to a site if that site was already in a situation where it could get location through JS at anytime (because permission was already granted to that origin). And the permission for the new header is in sync with the JS geolocation API, which any user agent should expose in settings - and let the user change the decision for any site at anytime <https://dev.w3.org/geo/api/spec-source.html#privacy_for_uas>. Regarding use-cases, and why this is not limited to mobiles or irrelevant use cases: - On desktop browsers can also expose precise location through JS API, using wifi-based location (not ip-based). All main browsers already do that. - Search-like services, news, media-content, social networks (a huge chunk of internet traffic), and the internet as a whole would certainly benefit from a solution that reduces 2 roundtrips to 1 roundtrip when the user is Ok to send location to a site in order to get a local experience. Getting a local experience seems quite far from censorship in my opinion. On Thu, Aug 3, 2017 at 4:36 PM, Walter H. <Walter.H@mathemainzel.info> wrote: > On 03.08.2017 09:29, Stephen Farrell wrote: > >> I find that the level of control offered by browsers to me as a user >> seems to decrease over time. I can understand why that's the case, esp. on >> mobiles, but am not keen on that. >> > mobiles are the only which have a legal use case; and these is specific to > a small part of apps from the whole "app universe" > > just think of an app showing you the times of the next public offer of > transport near to your position/location ... > > but for these special use cases there is no need of an extra header ... > > Personally, I do consider web sites wanting to know my location as an >> attack on my privacy in almost all cases. I realise that's uncommon and >> that some people say they like being tracked. I don't know what the general >> population think about this, as I suspect they just take whatever defaults >> browsers choose and click ok, if not the first time, then eventually. >> > Exact these are my thoughts ... > >
Received on Thursday, 3 August 2017 15:26:05 UTC