
Geolocation API removed from unsecured origins in Chrome 50 - laacz
https://developers.google.com/web/updates/2016/04/geolocation-on-secure-contexts-only
======
cpeterso
The Firefox bug to restrict geolocation to secure origins is:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1072859](https://bugzilla.mozilla.org/show_bug.cgi?id=1072859)

------
TazeTSchnitzel
Does this mean we'll have less ad-plastered sites immediately asking for
geolocation the moment you visit them? Hooray!

~~~
AnkhMorporkian
Or, alternatively, terrifically increased HTTPS-by-default rates.

~~~
csulok
Wouldn't Let's Encrypt offset any significant benefit of this change? Is it
somehow difficult or counterproductive for these sites to add a certificate?

~~~
dangrossman
Getting more sites to use Let's Encrypt, or Cloudflare, or to buy a
certificate is the intended benefit of the change. Google is gradually
restricting these APIs to encrypted origins in order to encourage sites to use
encryption, not because they don't want the APIs used.

~~~
tard
> or Cloudflare

[https://www.cloudflare.com/ssl/#cloudflare-ssl-
options](https://www.cloudflare.com/ssl/#cloudflare-ssl-options)

cloudflare's "flexible ssl" option encrypts the connection between their
datacenter and the user, but not the one between the datacenter and the actual
web server

i guess it's better than nothing if your host doesn't support ssl but the
false sense of security could be harmful

------
Klathmon
And here's to hoping they are able to push for the same thing for getUserMedia
and the device motion/accelerometer APIs as well!

~~~
asherkin
getUserMedia was killed off for insecure origins quite a while ago in Chrome.

~~~
Klathmon
Oh shit really? That's awesome!

~~~
randall
I think it was Chrome 48. It also doesn't work for localhost.

~~~
Klathmon
Localhost is considered secure context, so it should still work for that...

It won't work with file:/// urls, but localhost is fine.

At least it was for me in 49 a couple weeks ago.

~~~
artursapek
It would be pretty hard to use the API if you couldn't test your code on
localhost :P

------
__jal
I'm very glad I don't touch web dev anymore. This piecemeal removal of
features from one transport mode is exactly the sort of thing that causes
clients (of the human, paying sort) to flip out when they misunderstand what
is going on.

Don't get me wrong - I think this is a good thing. And I don't know that the
answer is a big, publicized drop of all these changes at once, although that
would have certain advantages. But a trickle of dropped features that non-
technical folks will never see announced is going to be a lot of fun for web
developers.

~~~
matthewmacleod
I don't really think the backlash is happening as you describe. There's quite
a lot of public awareness about ongoing communications and privacy issues, and
implementing SSL is extremely cheap in most cases. "We need to upgrade your
security to keep things working, it will take a day" is a fairly
straightforward sell in most cases.

------
0x0
Does this move really solve ANY privacy problem? Getting geolocation already
prompts the user for approval. Any sinister party wouldn't bat an eye at
setting up https. Odd.

~~~
dudus
The concern is that if the site is insecure you might send Geolocation which
might be sensible information through unsecure channels allowing someone to
snoop on the connection and read that data.

In other words they are trying to hide the geolocation data from proxies,
Carriers, ISPs and someone possibly MitM attacks

------
mtgx
Speaking of which, whatever happened to the COWL system? I know Google &
Mozilla were involved in researching the tech. Will it ever come to Chrome and
other browsers?

[http://cowl.ws/](http://cowl.ws/)

[https://www.ucl.ac.uk/news/news-
articles/1014/061014_COWL](https://www.ucl.ac.uk/news/news-
articles/1014/061014_COWL)

------
jimmaswell
So now if someone who hosts/rents a small server for side projects/hosting
small services like community forums or a simple game wants to make something
experimenting with geolocation they'll have to buy an HTTPS cert, make an app
(which requires paying for the ability to put apps on major app stores unless
you want to only support Android, where the OS discourages users from
installing 3rd party apps with messages about how they might harm your phone,
or jailbroken iPhones), or only support non-Chrome browsers (as long as other
browsers don't follow in this). Is it really a good thing to restrict web
functionality even more from small players? How does it matter if someone
sniffs your GPS location from an HTTP connection? Are there situations where
that's feasible and your precise geographic location isn't something the
attacker doesn't already know? The only major situation I'm aware of is wifi
hotspots where the location is already known.

Edit: Apparently there are free certificate suppliers, but will those be
sustainable if HTTP is eventually fully phased out? Browsers display errors
with self-signed certificates, so it still seems problematic in the long run
to have to depend on the good graces of other parties if you want to serve web
content.

~~~
pfooti
I have a side-project server. It took me about fifteen minutes to get a ssl
cert with letsencrypt, and it was free. I even get use it on my mumble, smtp
and imap servers.

~~~
gcr
Agreed. Letsencrypt has come very close to making SSL certificate generation a
non-issue for small websites.

------
jlhonora
And also from our experience, it seems that they're only allowing TLS 1.0 and
up.
[https://github.com/alexreisner/geocoder/issues/1034](https://github.com/alexreisner/geocoder/issues/1034)

~~~
garrettr_
This comment seems to imply that you're using a transport layer security
mechanism < TLS 1.0, i.e. SSLv2 or SSLv3. I strongly encourage you to upgrade
to TLS 1.1 or newer.

------
hughes
> It should not [affect development], localhost has been declared as
> “potentially secure”

Glad this was included. Is https even meaningful when on a local server?

------
_RPM

      window.navigator.geolocation.getCurrentPosition(function() { console.log(arguments); })
    

This shows me the coordinates and no Error is thrown.

Chrome version:

    
    
        Version 50.0.2661.94 m

~~~
ry_ry
From localhost? Because that's treated as safe in this case.

~~~
_RPM
I opened up the console of HN's page.

~~~
kels
HN is a secure origin so it still works. Test it out on a non-https site.

~~~
_RPM
That's right. I had commented on this before I had my caffeine. My apologies.

------
r1ch
So ad-supported sites have to choose between greatly reduced ad revenue or a
broken app. Thanks Google.

~~~
untog
There is zero reason for an ad to be using the Geolocation API. IP-based
geolocation is more than enough.

~~~
cies
I'm sure advertising will find a use for it! Like "hyper-local ads" that can
give you "just around the corner" deals in malls, etc.

> There is zero reason for an ad to be using the Geolocation API. IP-based
> geolocation is more than enough.

There was also zero reason for billboards by highways, before there were
highways. :)

~~~
untog
Advertising could find a use for my DNA profile but that doesn't mean they
should have access to it.

Obviously this is all a sliding scale and has nuance, but I'd say ads should
not be using anything that is behind a permission prompt, like geolocation.
Tremendously hostile to both the user and the site hosting their ad.

