New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 464874 link

Starred by 25 users

Issue metadata

Status: WontFix
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Sign in to add a comment

Do not persist permissions for powerful features on insecure origins

Project Member Reported by, Mar 6 2015

Issue description

As a step toward deprecating powerful features on insecure origins, we should stop persisting those permissions.

A first short list would include:
- geolocation
- getUserMedia
- fullscreen
- pointer lock

This is going to require:
- update in Chrome site settings UI
- update in Chrome Android site settings UI
- update how the request granting is handled
Also Protected Media Identifier (EME)
Is there an ETA which version will make use of secure origins for EME mandatory?

Comment 4 by, Jul 28 2015

No, we have not come up with a timeline yet (ddorwin@ can correct me if I'm mistaken).

Comment 5 by, Aug 26 2015

Labels: Cr-Security Cr-Security-UX

Comment 6 by Deleted ...@, Sep 1 2015

This appears to be broken in Chrome and Chrome Canary at the moment. See this bug report:

Comment 7 by, Sep 1 2015

rabinowitz.dan: No change has been made in Chrome re: persistence of Geolocation (this is a tracker bug for when we *do* decide to make that change). If you've experienced the possible bug discussed in that stackoverflow post, can you file a new bug so we can track down what's going wrong? Thanks!

Comment 10 Deleted

Comment 11 Deleted

Owner: ----
Status: Available
Labels: -Cr-Permissions Cr-Internals-Permissions

Comment 14 by, Jan 3 2016

Please please please do not stop geolocation for HTTP origins!
With our national Currency like 0.01 from the USD it will very expensive... :( we have no possibility to move to HTTPS... :(

Comment 15 by, Jan 4 2016

gluck59: You can get certificates for free now, for example from
Any news on the timeline/ETA for making use of secure origins for EME mandatory?
geolocation and getUserMedia require https. fullscreen and pointerlock don't have permissions anymore. EME is the only other one mentioned here.

ddorwin can I assign this to you? Should we open a new bug for EME only?
Status: Assigned (was: Available)
Components: -Security>UX Internals>Permissions>Model
Components: -Security>UX Internals>Permissions>Model
Components: -Internals>Permissions
Status: WontFix (was: Assigned)
Support for insecure usage of EME is being removed:!topic/blink-dev/tXmKPlXsnCQ.

Per #17, this is the only other API mentioned, so I'm closing this.

Sign in to add a comment