- From: James E. A. via GitHub <sysbot+gh@w3.org>
- Date: Tue, 11 Feb 2025 20:23:48 +0000
- To: public-device-apis-log@w3.org
@tamb * Geolocation API is [already](https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API#:~:text=This%20feature%20is%20available%20only%20in%20secure%20contexts) locked to HTTPS-only. * A "PWA" can be less than 20 lines of code; what's the security benefit? Malicious web developers will happily jump over any hurdles thrown in their way; *only* honest web developers will be turned away by such a requirement. * Geolocation API also already requires user consent. * A timeout would destroy certain use-cases, and for what benefit? ----- I think that just these would be sufficient, when it comes to additions to the existing trust model, to avoid *any* surprises or new fundamental possibilities for anti-user behavior: 1. Maintaining GPS access into the background **always** produces a local notification that persists until access is relinquished * Access can be halted by the user at any time, from that notification 2. Initiating or resuming GPS access **always** requires the page to be foregrounded -- GitHub Notification of comment by James-E-A Please view or discuss this issue at https://github.com/w3c/geolocation-sensor/issues/22#issuecomment-2651987156 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 11 February 2025 20:23:49 UTC