Firefox 55: Geolocation requires secure origin
Mozilla plans to make a change to Geolocation in Firefox 55 that would block requests automatically if they come from non-secure origins.
Geolocation, broken down to its core, refers to technologies that allow sites and applications to determine a user's position in the world.
This can be useful when mapping services are used among other things (show me where I'm, auto-filling of the current location). Many sites, not only mapping services but also shopping sites, or multi-lingual sites, use Geolocation for functionality.
It is fairly common for instance that users are redirected automatically to a local version of the site if it exists.
Firefox 55: Geolocation requires secure origin
Mozilla plans to make the change in Firefox 55. The implementation is on the heels of the Chromium team which added the requirement to Chromium 50. Firefox 55 is scheduled for an August 2017 release.
Basically, what this means for Firefox users is that Geolocation requests won't work anymore if a site or application does not use HTTPS.
To be precise, Geolocation will also work in the context of encrypted WebSocket connections (wss://), and requests from local resources such as localhost.
Mozilla notes that services that use non-secure origins for Geolocation requests will break when the change happens. Telemetry data that has been analyzed five months ago suggests that this will affect about 0.188% of page loads in the browser.
Just looking at non-secure origin Geolocation requests, Telemetry data suggested that 57% of getCurrentPosition() requests and 2.48% of watchPosition() requests use non-secure origins.
The figure will go down further in the future as more and more sites start the migration to HTTPS.
If you run Firefox Nightly currently, which is at version 55 at the time of writing, you will notice that non-secure Geolocation requests still work.
The feature is hidden behind a preference right now which you need to set to false to test right away:
- Type about:config in the browser's address bar and hit the Enter-key.
- Confirm that you will be careful.
- Search for geo.security.allowinsecure.
- Double-click on the preference to toggle it.
Once you have set the preference to false, any Geolocation request from an insecure origin will fail.
Now You: do you use sites that make use of Geolocation? (via Sören)
This is a defect. The ability of users to use https or http geolocation should be set in their preferences. You have locked users out of this option and broken tens of thousands of websites. The result is Firefox is no longer a viable browser and you are losing users. Chrome did this and it is a mistake to follow Google’s lame ideas, unless you give users the option. You could make secure geolocation the default, and allow a simple settings checkbox so users can use HTTP when that’s all that is available. I’ve been writing software since 1979, offered over 25,000 web pages on over 500 domains and my advice would be to be better than Chrome and make this a simple settings option.
Google has a bit of an advantage. I’m logged in to my Google account on both my phone and my desktop PC, and Google knows where my phone is because it periodically gets a location fix, so when I ask Google for my location on my desktop PC, it has an exact answer (correct to the street address).
Location solely by IP address places my desktop PC in one of several nearby cities (depending on the database) but not in my real city. It’s even worse on my phone; one database manages to locate me in a city about 90 miles from here. Good enough for setting a time zone and default language, maybe, assuming I’m not near a boundary, but that’s about it.
As more and more notebooks come equipped with GPS, the ability to get an exact location will become more widespread.
Blocking the geolocation feature in the browser is meaningless and worthless. It is dead simple to figure out where a connecting user / browser is located by the use of the geoip / mod_geoip web server libraries (used by Apache and others). I do this with my own personal family pictures website, and block various countries and continents, where none of my family or friends live. Maxmind makes their free IP database available that resolves down to the city level, which is more than enough to know where users are connecting from. Paying for full Maxmind service will allow even better location resolution.
Edited to add: It’s simple to show this, type “where am i” into a Google search.
When I do that, it says I live in a city about an hour and a half to two hours away, certainly not precise.
For me it gets to within a block or two of where I live. It probably has to do with how accurate the ISP’s IP address records are. Another thought is that while you have Geolocation off, all your neighbors still have it turned on, allowing Google at least to pinpoint you because you are in the same network subnet. I’m surrounded by many hundreds of houses ALL using Comcast.
I also block geolocation as a whole. Most sites don’t need to know where I am located.
I’ll always block geolocation as a whole and, here on Firefox, with :
// disable location-aware browsing
user_pref(“geo.enabled”, false);
user_pref(“geo.wifi.logging.enabled”, false); // (hidden pref)
user_pref(“geo.wifi.uri”, “http://0.0.0.0”);
user_pref(“browser.search.geoip.url”, “”);
I don’t need to know where I am and since I know where I am I have no problem getting my position on a map. My IP determines a geographical area far less precise than geolocation and that’s as much as any server needs to know. No need to be further spotted, whatever the service’s enchantments.
Now, concerning coming Firefox geolocation policy, reserved to secure sites, of course it’s a true improvement.
>The feature is hidden behind a preference right now which you need to set to false to test right away:
This option is not available in Firefox v52. It is available in v54 though. I don’t have v53 installed, so I don’t know about that.
Interesting once again to see how Mozilla is copying Chromium feature after feature. Even something like this, which could easily have been initiated by the “Privacy-minded” Mozilla, only gets introduced many months after Chromium. I guess they were too busy creating that pointless Firefox Focus/Klar app or something.
Yeah, and what’s about all the changes Chrome delivered after Firefox? There are a lot of examples in the recent past (wasm, CSS grids, a lot of current ECMAScript features, password field warnings, …). But why does it matter for you who was first? Websites with Geolocation over HTTP are already broken in Chrome and Safari for more than a year. So why is it bad for you, that Mozilla does the same?
By the way, market share is important. Chrome has a lot more market share than Firefox. So it’s clear that Mozilla can’t introduce every breaking change as first browser vendor.