Geolocation API should save permissions for an origin, not a domain name

RESOLVED WORKSFORME

Status

()

Core
Geolocation
RESOLVED WORKSFORME
5 years ago
a year ago

People

(Reporter: freddyb, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
The specification makes no suggestion whether a granted permission is saved for the current origin or the current domain name.
It is, however, undesirable to imply permission for HTTP sites when the user has only clicked the Allow button on a secure web page.

As expected, when the spec is unclear, browser vendors implemented this differently. Some use an origin, some use the domain name. Here's a listing from a few weeks ago:

Firefox: Hostname
Opera: Hostname
Chrome: Origin
Safari: Origin

I suggest that Firefox adopts this behavior due to the consequences for HTTPS/HTTP downgrades pointed out above.

Comment 1

5 years ago
This should likely be filed as a bug against the spec as well.
(Reporter)

Comment 2

5 years ago
The w3c list about geolocation discussed something related, i.e. how the "effective scripting origin" (origin modified by assignments to document.domain) affects the permissions:

http://lists.w3.org/Archives/Public/public-geolocation/2011Nov/0006.html
From my testing, it would appear IE10 uses Hostname

Comment 4

5 years ago
(In reply to Frederik Braun [:freddyb] from comment #2)
> The w3c list about geolocation discussed something related, i.e. how the
> "effective scripting origin" (origin modified by assignments to
> document.domain) affects the permissions:
> 
> http://lists.w3.org/Archives/Public/public-geolocation/2011Nov/0006.html

Thanks for finding this, that thread is good background. This does seem to be an implementation detail in some regard as the thread says, although the apparently spec'd UI behavior of only ever showing the domain and not the whole origin could lead to pretty weird behavior if origin is used as the 'key' for storage - if I grant permission for https://foo.com to read my location, I'll be prompted that 'foo.com wants to know your location'. If http://foo.com/something then wants my location, i'll be prompted again that 'foo.com wants to know your location' with no indication PER SPEC that there's any reason I'm being asked for what appears to be the same thing I already granted.

"Only provide my location to HTTPS content" seems like something only a small amount of users would use - those with strong privacy/tracking concerns may well just disable geolocation entirely...
(Reporter)

Updated

3 years ago
Depends on: 1066517

Updated

2 years ago
Duplicate of this bug: 742043

Updated

2 years ago
Depends on: 1165263
Is this bug fixed now that the permission manager uses origins (Firefox 42, bug 1165263)?
Yep!
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.