Re: Geolocation header

On Fri, August 4, 2017 08:53, Guilherme Hermeto wrote:


> I get it, but as far as I can see, the same applies to Geolocation API
> too.
No, because it requires something you can disable - e.g. with NoScript ...

> The user agent asks permission and it is stored for that particular domain
> (like a cookie), so other servers wouldn't get it.
this may be a mistake ..., as the control a user has over his system, this
"ask for permission" might be globally ...

when its using the Geolocation API, you have the chance e.g. with NoScript
to prevent a server from getting this ...

> Can you elaborate on "server MUST NOT get any knowledge to let him
> decide what to send to the client"?
> Because servers acquire such knowledge all the
> time, doing authentication, authorization... but I'm assuming that isn't
> what you meant.

No, I mean e.g. that a server MUST NOT interpret the User-Agent Header
field ...;
e.g. when it is the Google Crawler it sends the content, und when I search
in google and get this page, and click there will get a 404 or 403,
because it is not the Google Crawler ...

or other example:  there is an application you want to download, and the
webpage gives you only the download for the Linux port, not the Windows
port, because your User-Agent says Linux ...

> All said, what really concerns me is that even though there is the
> Geolocation API to recommend how user agents should acquire and treat such
> information

I don't know any API that does make thoughts about what sense and if there
is a legit use case ...

> Should we work towards that?

No,
first think of legit use and then think if you really want to put all
clients into the same group even when you know, that it is wrong ...

I bet by the answer of the following question ...

"From WHERE/HOW does a NON MOBILE know its location?"

it doesn't make any sense to have any geo location - neither API nor
header field - for user agents on non mobile devices ...

Received on Friday, 4 August 2017 07:54:57 UTC