W3C home > Mailing lists > Public > public-geolocation@w3.org > November 2010

Re: Privacy considerations for implementors of the Geolocation API

From: Nick Doty <npdoty@ischool.berkeley.edu>
Date: Fri, 19 Nov 2010 21:11:30 -0800
Message-ID: <AANLkTim-fkquC56oW5AbYyHLoH=t4noeMfgRJ9Ue+zbg@mail.gmail.com>
To: Andrei Popescu <andreip@google.com>
Cc: Anne van Kesteren <annevk@opera.com>, Adrian Bateman <adrianba@microsoft.com>, Doug Turner <dougt@dougt.org>, "public-geolocation@w3.org" <public-geolocation@w3.org>
On Fri, Nov 19, 2010 at 7:18 AM, Andrei Popescu <andreip@google.com> wrote:

> On Tue, Nov 16, 2010 at 11:17 AM, Anne van Kesteren <annevk@opera.com>
> wrote:
> > On Mon, 15 Nov 2010 16:32:49 +0100, Doug Turner <dougt@dougt.org> wrote:
> >>
> >> I'd like the consideration section to reflect the intent we had.  I
> would
> >> rather have us leave the MUST but change what we meant to be displayed
> to
> >> the user.  Maybe "HOST of the requesting document".  There are probably
> >> others with a better name for this field.
> >
> > Host is not really good either. You want to know secure versus insecure
> for
> > instance.
>
> Hmm, why is this? Nobody (including Opera) does this at the moment.
>

Just to repeat, this is incorrect. Safari (as of 5.0 [1]) and Mobile Safari
(as of iOS 4.1 [2]) both display the scheme in their modal permissions
dialogs. Chrome used to display the scheme (in 5.0) but got rid of it -- it
would be interesting to know the decision process there.


> > Now whether this is displayed as a lock versus http/https should
> > be up to the user agent. In fact, if the user agent comes up with a novel
> > idea to clearly indicate what page the dialog belongs to I think that
> should
> > be allowed as well.
>
> If we said "host", that wouldn't prevent the UA from doing what you
> propose.
>

Agreed. Specifying "host" wouldn't stop a UA from showing more: the scheme,
the port, the extended validation certificate identity or any other
potentially relevant information. But the Working Group may still want to
normatively specify a lower bound that includes whether or not the script
was loaded over HTTPS.

Thanks,
Nick

[1] http://npdoty.name/location/safari-permission.jpg
[2] http://npdoty.name/location/iphone-permission.jpg
Received on Saturday, 20 November 2010 05:12:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:51:01 UTC