Closed Bug 812147 Opened 12 years ago Closed 8 years ago

Geolocation API should save permissions for an origin, not a domain name

Categories

(Core :: DOM: Geolocation, defect)

Product:
Core
Component:
DOM: Geolocation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: freddy, Unassigned)

References

Details

The specification makes no suggestion whether a granted permission is saved for the current origin or the current domain name.
It is, however, undesirable to imply permission for HTTP sites when the user has only clicked the Allow button on a secure web page.

As expected, when the spec is unclear, browser vendors implemented this differently. Some use an origin, some use the domain name. Here's a listing from a few weeks ago:

Firefox: Hostname
Opera: Hostname
Chrome: Origin
Safari: Origin

I suggest that Firefox adopts this behavior due to the consequences for HTTPS/HTTP downgrades pointed out above.
This should likely be filed as a bug against the spec as well.
The w3c list about geolocation discussed something related, i.e. how the "effective scripting origin" (origin modified by assignments to document.domain) affects the permissions:

http://lists.w3.org/Archives/Public/public-geolocation/2011Nov/0006.html
From my testing, it would appear IE10 uses Hostname
(In reply to Frederik Braun [:freddyb] from comment #2)
> The w3c list about geolocation discussed something related, i.e. how the
> "effective scripting origin" (origin modified by assignments to
> document.domain) affects the permissions:
> 
> http://lists.w3.org/Archives/Public/public-geolocation/2011Nov/0006.html

Thanks for finding this, that thread is good background. This does seem to be an implementation detail in some regard as the thread says, although the apparently spec'd UI behavior of only ever showing the domain and not the whole origin could lead to pretty weird behavior if origin is used as the 'key' for storage - if I grant permission for https://foo.com to read my location, I'll be prompted that 'foo.com wants to know your location'. If http://foo.com/something then wants my location, i'll be prompted again that 'foo.com wants to know your location' with no indication PER SPEC that there's any reason I'm being asked for what appears to be the same thing I already granted.

"Only provide my location to HTTPS content" seems like something only a small amount of users would use - those with strong privacy/tracking concerns may well just disable geolocation entirely...
Depends on: 1066517
Depends on: 1165263
Is this bug fixed now that the permission manager uses origins (Firefox 42, bug 1165263)?
Yep!
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.