W3C home > Mailing lists > Public > public-device-apis-log@w3.org > April 2021

Re: [geolocation-api] Restrict to user-activation-received frames (#48)

From: Johann Hofmann via GitHub <sysbot+gh@w3.org>
Date: Wed, 07 Apr 2021 08:04:48 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-814698777-1617782686-sysbot+gh@w3.org>
Right, we looked at this in 2019 as part of our project to reduce [notification permission spam](https://blog.mozilla.org/futurereleases/2019/11/04/restricting-notification-permission-prompts-in-firefox/). We also measured Geolocation and found it, IIRC, slightly less bad (in terms of prompt "success rate") but still bad enough that it would warrant attention. For notifications we did a [report](https://mozilla.report/post/projects/notification_permissions.kp/index.html) that showed a good correlation between user acceptance and prior user gesture, however we did not do the same analysis for geolocation. We should still have the data lying around, I think, so it wouldn't be impossible to do.

In any case, if I understand correctly, this issue is less about reducing prompt annoyance and more about the privacy/security aspect of "background" geolocation access, so as @pes10k mentions we'd have to gate the entire API on user gesture, even with a permanent permission. From a Firefox perspective that should probably be fine. Firefox gives out geolocation permissions as one-off by default anyway. So gating permission prompts vs. gating the API only matters for the small percentage of users who opt into permanent permission. It could still lead to breakage but overall for Firefox not much more than when gating the prompts on interaction, which again is something we're interested in.

What we would probably do (at the very least during the transition period) is show a "silent" prompt like the ones both Firefox and Chrome have adopted for notifications recently when user interaction permission was requested without gesture.

However, that way we can't un-break the edge case where the user gave a permanent permission but the API wasn't invoked with user activation, which is annoying. I also don't understand how this accounts for `watchPosition`, which could just as easily be invoked in place of several `getCurrentPosition` calls, right?

Maybe we should gate the prompts instead of the whole API and the more privacy-focused browsers can just switch their prompts away from permanently granting permissions?

As @marcoscaceres mentioned, with permissions policy I don't really see the point of differentiating between frames or not anymore, we should make this consistent for the whole API, IMO.

-- 
GitHub Notification of comment by johannhof
Please view or discuss this issue at https://github.com/w3c/geolocation-api/issues/48#issuecomment-814698777 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 7 April 2021 08:04:50 UTC

This archive was generated by hypermail 2.4.0 : Monday, 4 July 2022 12:47:58 UTC