- From: Yves Lafon <notifications@github.com>
- Date: Fri, 12 Sep 2025 05:38:07 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/1131/3285127524@github.com>
ylafon left a comment (w3ctag/design-reviews#1131) The proposal looks interesting, we still have a few comments: 1/ Requesting several times an approximate location could lead to disclosing the real location, if not cached or strictly rate-limited, the spec should consider being explicit about that risk 2/ location in general is not easy to fake, unlike an ip address which can be hidden using a VPN as an example. Even if it is not currently considered, coarse location should not be considered equivalent to IP geolocation, unless the same capability of intentionally changing location is available. 3/ There is a concern of leakage of private information due to the granularity of the coarsing algorithm provided at the OS level. The spec includes this in [Preventing Precise Location Reconstruction](https://pr-preview.s3.amazonaws.com/alvinjiooo/geolocation/pull/195.html#preventing-precise-location-reconstruction:~:text=a%20user%2Dagent%2Ddefined%20time%20window%20SHOULD%20return%20the%20exact%20same%2C%20cached%20approximate%20position%20data.%20A%20user%20agent%20might%2C%20for%20example%2C%20use%20a%20time%20window%20of%2015%20minutes.) by throttling the geolocation data intervals to every 15 minutes. There is no mention of that in the explainer. Can you please clarify that, and highlight any other defences against this? -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1131#issuecomment-3285127524 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1131/3285127524@github.com>
Received on Friday, 12 September 2025 12:38:11 UTC