Re: Geolocation header

> > The user agent asks permission and it is stored for that particular
> domain
> > (like a cookie), so other servers wouldn't get it.
> this may be a mistake ..., as the control a user has over his system, this
> "ask for permission" might be globally ...

What do you mean the control might be global? The Geolocation API spec says
permission should be acquired through a user interface and "The user
interface must include the host component of the document's URI".

This is how browsers implement this today, following the spec. There's no
global permission, actually most implementations handle permissions
per-origin (protocol + host + port).
The same would apply to this header, any origin needs explicit permission
before getting geolocation data.

> I bet by the answer of the following question ...
> "From WHERE/HOW does a NON MOBILE know its location?"
> it doesn't make any sense to have any geo location - neither API nor
> header field - for user agents on non mobile devices ...

Desktop browsers use WiFi scans to geolocate the device, providing
locations up to ~10 meters accurate (as opposed to IP-based location that
can be up to ~100Km).

There's clearly a legit use case on both mobile and desktop. Otherwise why
would we have a standard for a JS geolocation API?

Let's be clear about how the Geolocation JS API works today. There's ways
to implement this header-based optimization that would not introduce any
new privacy risk.

Received on Friday, 4 August 2017 08:31:40 UTC