- From: Luis Barguñó Jané <luisbargu@gmail.com>
- Date: Fri, 4 Aug 2017 11:27:29 +0200
- To: "Walter H." <walter.h@mathemainzel.info>
- Cc: Guilherme Hermeto <gui.hermeto@gmail.com>, ietf-http-wg@w3.org
- Message-ID: <CAPA9heWDOkYKq80P5xAGoBH4LyyxCwkj27u=4TF6nncY-Lpgeg@mail.gmail.com>
On Fri, Aug 4, 2017 at 10:58 AM, Walter H. <walter.h@mathemainzel.info> wrote: > On Fri, August 4, 2017 10:31, Luis Barguñó Jané wrote: > > > The Geolocation API spec says > > permission should be acquired through a user interface and "The user > > interface must include the host component of the document's URI". > > SHOULD doesn't mean MUST, so if dropping this > "ask interface", it is still conforming to the specs .. Sorry, my bad, the spec claims "User agents MUST acquire permission through a user interface" So it's a MUST. > This is how browsers implement this today, following the spec. > > today is nothing said about tomorrow ... > It is, since MUST is what the spec says. > > >> I bet by the answer of the following question ... > >> > >> "From WHERE/HOW does a NON MOBILE know its location?" > >> > >> it doesn't make any sense to have any geo location - neither API nor > >> header field - for user agents on non mobile devices ... > >> > > > Desktop browsers use WiFi > > WiFi is a kind of mobile, I asked for non mobile ... > > in other words, the server already knows the answer: IP address. In any case, this is not specific to smartphones, but to any device with wireless capabilities that can be used for geolocation purposes. This applies by far to the big majority of devices connected to the internet today. Clearly enough for a legit use case. And you can always use IP location if that's enough for you. You are not forced to ask for and get this new header on your server if you don't need it. > > There's clearly a legit use case on both mobile and desktop. > > > Otherwise why > > would we have a standard for a JS geolocation API? > > invalid question; this has to be interpreted this: > > when you need geolocation, than use this API; nowhere is said, that you > have to use this at all ... > > or is it forbidden to walk, even we have cars? The same applies to the header proposal, the fact that servers have a way to tell clients "send me a geolocation header", it does not mean the server is forced to ask for that information. Exactly the same as the server deciding whether to include JS to use geolocation API. Any server can still decide to not get any location data. Nobody is forced to. All I'm proposing is instead of "when you need geolocation, use JS geolocation API", you can also ask for this geolocation header, so you save one round-trip. This is a purely technical improvement. > > There's ways > > to implement this header-based optimization that would not introduce any > > new privacy risk. > > WOULD NOT doesn't mean WILL NOT, so it DOES introduce a new privacy risk. > My bad again, I was writing this e-mail as plain language. I agree with you. We MUST not introduce any new privacy risk, and a proper standard should guarantee that.
Received on Friday, 4 August 2017 09:56:07 UTC