- From: Luis Barguñó Jané <luisbargu@gmail.com>
- Date: Fri, 4 Aug 2017 10:31:17 +0200
- To: "Walter H." <walter.h@mathemainzel.info>
- Cc: Guilherme Hermeto <gui.hermeto@gmail.com>, ietf-http-wg@w3.org
- Message-ID: <CAPA9heU86mwVHsBG+2UAaSnowsbzDGO5msV_0_esNY-ajaB00A@mail.gmail.com>
> > > The user agent asks permission and it is stored for that particular > domain > > (like a cookie), so other servers wouldn't get it. > this may be a mistake ..., as the control a user has over his system, this > "ask for permission" might be globally ... > What do you mean the control might be global? The Geolocation API spec says permission should be acquired through a user interface and "The user interface must include the host component of the document's URI". This is how browsers implement this today, following the spec. There's no global permission, actually most implementations handle permissions per-origin (protocol + host + port). The same would apply to this header, any origin needs explicit permission before getting geolocation data. > I bet by the answer of the following question ... > > "From WHERE/HOW does a NON MOBILE know its location?" > > it doesn't make any sense to have any geo location - neither API nor > header field - for user agents on non mobile devices ... > Desktop browsers use WiFi scans to geolocate the device, providing locations up to ~10 meters accurate (as opposed to IP-based location that can be up to ~100Km). There's clearly a legit use case on both mobile and desktop. Otherwise why would we have a standard for a JS geolocation API? Let's be clear about how the Geolocation JS API works today. There's ways to implement this header-based optimization that would not introduce any new privacy risk.
Received on Friday, 4 August 2017 08:31:40 UTC