New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 13 users
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Mar 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Status: ----
Launch-Test: ----
Launch-UI: ----
Product-Review: ----

Blocking:
issue 520765



Sign in to add a comment
Removal of geolocation from insecure origins
Project Member Reported by jww@chromium.org, Nov 25 2015 Back to list
Change description:
Remove the geolocation API from insecure origins.

Changes to API surface:
* geolocation

Links:
Public standards discussion:
This has been extensively discussed on blink-dev: https://groups.google.com/a/chromium.org/d/msg/blink-dev/2LXKVWYkOus/gT-ZamfwAKsJ
Also, see the broader tracking bug for removing all powerful APIs from insecure origins: https://crbug.com/520765

Support in other browsers:
Internet Explorer: No word.
Firefox: Has expressed an intent to deprecate and remove this API from insecure origins.
Safari: No word.

 
Comment 1 by jww@chromium.org, Nov 25 2015
Blocking: chromium:520765
Comment 2 by rbyers@chromium.org, Nov 25 2015
Looks like this has been generating deprecation warnings since Chrome 44, right?
https://chromium.googlesource.com/chromium/src/+/a2e57bec2927b12c763e1d1b3b3154eadc1e0058
Comment 3 by jww@chromium.org, Nov 25 2015
Correct. This was part of the initial "intent to deprecate old powerful features on insecure origins" discussion (https://groups.google.com/a/chromium.org/d/msg/blink-dev/2LXKVWYkOus/gT-ZamfwAKsJ) and has been tracked as part of issue 520765. I just thought it was worth breaking it out into its own bug.
Comment 4 by jww@chromium.org, Nov 25 2015
Also, a link to the blink-dev Intent to Remove: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/ylz0Zoph76A
Project Member Comment 5 by bugdroid1@chromium.org, Dec 11 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33ef9f5c8df422b0320cbc506d57bdce2999ebc8

commit 33ef9f5c8df422b0320cbc506d57bdce2999ebc8
Author: jww <jww@chromium.org>
Date: Fri Dec 11 07:34:21 2015

Removal of geolocation APIs on insecure origins

This disallows the geolocation APIs getCurrentPosition() and
watchPosition() from being used on insecure origins. Adds a console
warning message that the API call has failed because of this.

BUG=520765, 561641 

Review URL: https://codereview.chromium.org/1485973002

Cr-Commit-Position: refs/heads/master@{#364642}

[modify] http://crrev.com/33ef9f5c8df422b0320cbc506d57bdce2999ebc8/android_webview/javatests/src/org/chromium/android_webview/test/GeolocationTest.java
[modify] http://crrev.com/33ef9f5c8df422b0320cbc506d57bdce2999ebc8/chrome/browser/geolocation/geolocation_permission_context.cc
[modify] http://crrev.com/33ef9f5c8df422b0320cbc506d57bdce2999ebc8/chrome/browser/geolocation/geolocation_permission_context_unittest.cc
[modify] http://crrev.com/33ef9f5c8df422b0320cbc506d57bdce2999ebc8/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin-expected.txt
[modify] http://crrev.com/33ef9f5c8df422b0320cbc506d57bdce2999ebc8/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html
[modify] http://crrev.com/33ef9f5c8df422b0320cbc506d57bdce2999ebc8/third_party/WebKit/Source/core/frame/UseCounter.cpp
[modify] http://crrev.com/33ef9f5c8df422b0320cbc506d57bdce2999ebc8/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp

Project Member Comment 6 by bugdroid1@chromium.org, Dec 11 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ecdcb8846d510107b97b8401b81ec06462420f15

commit ecdcb8846d510107b97b8401b81ec06462420f15
Author: johnme <johnme@chromium.org>
Date: Fri Dec 11 13:26:32 2015

Revert of Removal of geolocation APIs on insecure origins (patchset #6 id:100001 of https://codereview.chromium.org/1485973002/ )

Reason for revert:
Sorry, this broke the following WebView CTS tests:

android.webkit.cts.GeolocationTest#testSimpleGeolocationRequestAcceptAlways
android.webkit.cts.GeolocationTest#testSimpleGeolocationRequestAcceptOnce
android.webkit.cts.GeolocationTest#testSimpleGeolocationRequestReject

See https://build.chromium.org/p/chromium.android/builders/Android%20WebView%20CTS%20L-MR1%20%28dbg%29/builds/4704

It seems that might be intentional, but turning the bot red doesn't seem great. sgurun@ can probably advise on whether WebView has test expectations for CTS, that could be used to disable these tests.

Original issue's description:
> Removal of geolocation APIs on insecure origins
>
> This disallows the geolocation APIs getCurrentPosition() and
> watchPosition() from being used on insecure origins. Adds a console
> warning message that the API call has failed because of this.
>
> BUG=520765, 561641 
>
> Committed: https://crrev.com/33ef9f5c8df422b0320cbc506d57bdce2999ebc8
> Cr-Commit-Position: refs/heads/master@{#364642}

TBR=mlamouri@chromium.org,philipj@opera.com,thestig@chromium.org,sgurun@chromium.org,torne@chromium.org,jww@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=520765, 561641 

Review URL: https://codereview.chromium.org/1515103003

Cr-Commit-Position: refs/heads/master@{#364689}

[modify] http://crrev.com/ecdcb8846d510107b97b8401b81ec06462420f15/android_webview/javatests/src/org/chromium/android_webview/test/GeolocationTest.java
[modify] http://crrev.com/ecdcb8846d510107b97b8401b81ec06462420f15/chrome/browser/geolocation/geolocation_permission_context.cc
[modify] http://crrev.com/ecdcb8846d510107b97b8401b81ec06462420f15/chrome/browser/geolocation/geolocation_permission_context_unittest.cc
[modify] http://crrev.com/ecdcb8846d510107b97b8401b81ec06462420f15/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin-expected.txt
[modify] http://crrev.com/ecdcb8846d510107b97b8401b81ec06462420f15/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html
[modify] http://crrev.com/ecdcb8846d510107b97b8401b81ec06462420f15/third_party/WebKit/Source/core/frame/UseCounter.cpp
[modify] http://crrev.com/ecdcb8846d510107b97b8401b81ec06462420f15/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp

Project Member Comment 7 by bugdroid1@chromium.org, Jan 19 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1

commit 9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1
Author: jww <jww@chromium.org>
Date: Tue Jan 19 20:58:59 2016

Removal of geolocation APIs on insecure origins

This disallows the geolocation APIs getCurrentPosition() and
watchPosition() from being used on insecure origins. Adds a console
warning message that the API call has failed because of this.

Note that this is a re-land of
https://codereview.chromium.org/1485973002/. See that CL for full
discussion.

BUG=520765,  561641 
TBR=thestig@chromium.org,sgurun@chromium.org,philipj@opera.com,mlamouri@chromium.org

Review URL: https://codereview.chromium.org/1530403002

Cr-Commit-Position: refs/heads/master@{#370185}

[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/android_webview/javatests/src/org/chromium/android_webview/test/GeolocationTest.java
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/android_webview/native/aw_settings.cc
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/chrome/browser/geolocation/geolocation_permission_context.cc
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/chrome/browser/geolocation/geolocation_permission_context_unittest.cc
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/content/public/common/common_param_traits_macros.h
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/content/public/common/content_switches.cc
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/content/public/common/web_preferences.cc
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/content/public/common/web_preferences.h
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/content/renderer/render_view_impl.cc
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin-expected.txt
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/third_party/WebKit/Source/core/frame/Settings.in
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/third_party/WebKit/Source/core/frame/UseCounter.cpp
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/third_party/WebKit/Source/web/WebSettingsImpl.cpp
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/third_party/WebKit/Source/web/WebSettingsImpl.h
[modify] http://crrev.com/9d4ca2d9838b5f33bdb3f8fcfb8ef381d449b2a1/third_party/WebKit/public/web/WebSettings.h

Comment 8 by ecce...@gmail.com, Jan 28 2016
Hi. You are returning `POSITION_UNAVAILABLE` as error.code. You should be returning `PERMISSION_DENIED`.

BTW. Shouldn't the message be consistent with what you return when running on `file:` protocol? Currently error.message is "User denied Geolocation" on `file:` protocol.
Comment 9 by jww@chromium.org, Jan 29 2016
Thanks for the suggestion! I agree that it should match the same output as for file://, although to be honest, I'm not sure that the file:// error is giving the right message. That having been said, it certainly has been around longer, so let's stick with that. I'll upload a CL shortly to fix this.

Project Member Comment 11 by bugdroid1@chromium.org, Feb 2 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5e9d2e8a2e8d288c87f192a55c1b5fe57388d7c2

commit 5e9d2e8a2e8d288c87f192a55c1b5fe57388d7c2
Author: jww <jww@chromium.org>
Date: Tue Feb 02 00:42:03 2016

Update geolocation over HTTP error to use PERMISSION_DENIED

When geolocation is used over HTTP, we had been using
POSITION_UNAVAILABLE, but it was pointed out that using geolocation over
a file:// URL uses PERMISSION_DENIED instead. To be consistent, this
updates the HTTP failure to use PERMISSION_DENIED.

BUG= 561641 

Review URL: https://codereview.chromium.org/1642903005

Cr-Commit-Position: refs/heads/master@{#372841}

[modify] http://crrev.com/5e9d2e8a2e8d288c87f192a55c1b5fe57388d7c2/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin.html
[modify] http://crrev.com/5e9d2e8a2e8d288c87f192a55c1b5fe57388d7c2/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp

Comment 12 by jww@chromium.org, Mar 3 2016
Status: Fixed
Comment 13 by jww@chromium.org, Apr 20 2016
Labels: -M-49 M-50
Updating Milestone since it was actually removed in 50, not 49.
Cc: jincheol...@navercorp.com
@jww, I would like to verify the mean of "sufficient warning" in aw_settings.cc of your latest patch.
Could you tell me when you apply this at Android WebView?

Cc: mvanouwe...@chromium.org
 Issue 632902  has been merged into this issue.
Comment 16 by jww@chromium.org, Jul 30 2016
Cc: torne@chromium.org
Sorry for the delayed response to comment #14! It somehow flew past my inbox.

Unfortunately, no, I don't have a timeline for that. torne@ (CC'd) is from the WebView team, and he's more or less in charge of the timeline, but I'm not sure he's established one yet.
We won't be removing this from webview probably for some time (one or more android releases/years). We're hoping to be able to come up with a solution to get use counter data for webview to enable us to see how big an issue this would be for apps, as well as wait for developers to respond to the N release removing this to see how many apps *stop* relying on it.

If you have an app that relies on this, you should fix it ASAP, and then you won't have to worry. You will need to update your app to not rely on this before you can begin to target the N release, since apps that target the N release already have this disabled.
Sign in to add a comment