- From: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
- Date: Mon, 01 Aug 2011 16:12:40 +0200
- To: public-geolocation@w3.org
- Cc: Giles Hogben <Giles.Hogben@enisa.europa.eu>, Lieven Desmet <Lieven.Desmet@cs.kuleuven.be>
The following comment contains detailed information about an issue that
was discovered during a recent security analysis of 13 next generation
web standards, organized by ENISA (European Network and Information
Security Agency), and performed by the DistriNet Research Group (K.U.
Leuven, Belgium).
The complete report is available at http://www.enisa.europa.eu/html5
(*), and contains information about the process, the discovered
vulnerabilities and recommendations towards improving overall security
in the studied specifications.
Summary
---------
The Geolocatin API allows a script to retrieve the last cached location,
together with an appropriate timestamp
Based on: Geolocation API, 7 September 2010
Relevant Sections: 5.1. Geolocation Interface
Issue
-------
By forcing the retrieval of a cached value, using a timeout of 0, a
script can obtain the last cached position. By repeating this with
increasingly smaller values of maximumAge until an error occurs, it can
determine an approximate timestamp of this position.
Code example
--------------
The function that can be used to retrieve a cached location, with an
accuracy of 1 minute, for a period of 24 hours
function cache() {
var current = 24 * 60 * 60 * 1000;
var last = 0;
var loc = null;
var success = function(p) {
loc = p;
last = current;
current -= (60 * 1000);
navigator.geolocation.getCurrentPosition(success, error,
{maximumAge:current, timeout:0});
}
var error = function(p) {
if(loc != null) {
if(last == 0) {
time = "over " + (current / 1000 / 60) + " minutes ago";
}
else {
time = "between " + (current / 1000 / 60) + " and " + (last /
1000 / 60) + " minutes ago";
}
out.innerHTML += "Retrieved cached location of " + time + ": " +
loc.coords.latitude + "," + loc.coords.longitude + "<br>";
}
else {
out.innerHTML += "<span style='color:red;'>Failed to get one-shot
location</span><br>";
}
}
navigator.geolocation.getCurrentPosition(success, error,
{maximumAge:Infinity, timeout:0});
}
Example output after hitting the button a few times:
Retrieved cached location of between 18 and 19 minutes ago:
50.86386,4.69594
Retrieved cached location of between 18 and 19 minutes ago:
50.86386,4.69594
Retrieved cached location of between 20 and 21 minutes ago:
50.86386,4.69594
Retrieved cached location of between 20 and 21 minutes ago:
50.86386,4.69594
Current state of implementation
---------------------------------
The current desktop browser implementations (I don't own a mobile
device :)) show the following behavior:
* Firefox 5: caching not supported? (always uses Google location
services)
* Chrome 12: Scenario is supported
* IE 8: Geolocation not supported
* Safari 5 (windows): Geolocation does not return a result (no success
nor error)
* Opera 11.50: Scenario is supported
Recommended Solution
----------------------
A cached location should expire after a certain (configurable) amount of
time (e.g. 1 hour). This additional requirement can be added to section
4.1 (privacy considerations for implementors) of the specification.
(*) HTML version of the report is available as well:
https://distrinet.cs.kuleuven.be/projects/HTML5-security/
--
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Received on Tuesday, 2 August 2011 09:06:59 UTC