Re: Geolocation header

On Fri, Aug 4, 2017 at 10:58 AM, Walter H. <>

> On Fri, August 4, 2017 10:31, Luis Barguñó Jané wrote:
> > The Geolocation API spec says
> > permission should be acquired through a user interface and "The user
> > interface must include the host component of the document's URI".
> SHOULD doesn't mean MUST, so if dropping this
> "ask interface", it is still conforming to the specs ..

Sorry, my bad, the spec claims "User agents MUST acquire permission through
a user interface"
So it's a MUST.

> This is how browsers implement this today, following the spec.
> today is nothing said about tomorrow ...

It is, since MUST is what the spec says.

> >> I bet by the answer of the following question ...
> >>
> >> "From WHERE/HOW does a NON MOBILE know its location?"
> >>
> >> it doesn't make any sense to have any geo location - neither API nor
> >> header field - for user agents on non mobile devices ...
> >>
> > Desktop browsers use WiFi
> WiFi is a kind of mobile, I asked for non mobile ...
> in other words, the server already knows the answer: IP address.

In any case, this is not specific to smartphones, but to any device with
wireless capabilities that can be used for geolocation purposes. This
applies by far to the big majority of devices connected to the internet
today. Clearly enough for a legit use case.

And you can always use IP location if that's enough for you. You are not
forced to ask for and get this new header on your server if you don't need

> > There's clearly a legit use case on both mobile and desktop.
> > Otherwise why
> > would we have a standard for a JS geolocation API?
> invalid question; this has to be interpreted this:
> when you need geolocation, than use this API; nowhere is said, that you
> have to use this at all ...
> or is it forbidden to walk, even we have cars?

The same applies to the header proposal, the fact that servers have a way
to tell clients "send me a geolocation header", it does not mean the server
is forced to ask for that information.
Exactly the same as the server deciding whether to include JS to use
geolocation API.
Any server can still decide to not get any location data. Nobody is forced

All I'm proposing is instead of "when you need geolocation, use JS
geolocation API", you can also ask for this geolocation header, so you save
one round-trip. This is a purely technical improvement.

> > There's ways
> > to implement this header-based optimization that would not introduce any
> > new privacy risk.
> WOULD NOT doesn't mean WILL NOT, so it DOES introduce a new privacy risk.

My bad again, I was writing this e-mail as plain language.
I agree with you. We MUST not introduce any new privacy risk, and a proper
standard should guarantee that.

Received on Friday, 4 August 2017 09:56:07 UTC