Attempting to use geolocation over http should generate clear error about it being unsupported
Reported by
teo8...@gmail.com,
Apr 22 2016
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36 Steps to reproduce the problem: 1. Do a synchronous XMLHttpRequest 2. try to use navigator.geolocation.getCurrentPosition() in a script from an insecure source (i.e. http as opposed to https) What is the expected behavior? Warning about deprecated features should be unambiguous about whether or not the attempted use of the feature has been blocked or not. What went wrong? In both cases, you get a warning telling you that you are trying to use a deprecated feature that you are not supposed to use. Both of them are warnings (neither of them is an error) and they are phrased similarly. They don't tell you clearly whether or not what you were trying to do has been prevented or not. However, while in case 1 the code is executed succesfully (the request is made and it is made asynchronously), in case 2 the use of the deprecated feature is prevented (getCurrentPosition does not return the position). So, similar situations (use of a deprecated feature), exact same kind of (ambiguous) warning, and completely different outcome. This is tremendously ambiguous and it's not even consistent. Did this work before? No Chrome version: 50.0.2661.86 Channel: stable OS Version: Flash Version: Shockwave Flash 21.0 r0
,
Apr 22 2016
I thought the same, but there's one caveat: an error will stop execution of all the code that follows (unless of course the exception is caught). That will break scripts that are working now. It could be a disaster. Not sure though, that *may* still be the right thing to do. Anyway, all warnings MUST be crystal-clear about whether the attempted action has been prevented or not. This include improving the phrasing of the other warning I mentioned about asynchronous requests.
,
Apr 30 2016
This will break Modernizrs feature detect for geolocation[1] which just does 'geolocation' in navigator to me if that's ran on an unsecure page it should be false as technically it doesn't support geolocation. I assume this sets a precedent for future APIs to be moved to https only and those should return false for common feature detection techniques too. [1] https://github.com/Modernizr/Modernizr/blob/master/feature-detects/geolocation.js
,
May 2 2016
Simple repro page: http://jsbin.com/kafayu I think the issue here is specific to the geolocation warning, it's not really "ambiguous" but actually "incorrect". Geolocation on insecure origins is no longer "deprecated" it's fully "unsupported". At a minimum the message should be updated to make that clear. Joel, can you do that please? We almost certainly can't change the API to throw an exception, that would be a breaking change. I assume we could generate a devtools error message instead of a warning message, but I'm not sure that's appropriate. It's no more a hard error than if the user had declined the permission. Regarding the suggestion of changing feature detection, I don't think that's really appropriate. In general browser features don't come and go depending on context. This is really what the permissions API is for - you can determine in advance (albeit only asynchronously) that geolocation permission has been denied: https://developer.mozilla.org/en-US/docs/Web/API/Permissions_API/Using_the_Permissions_API
,
May 2 2016
I agree with #4. This is a bug in messaging, and if you look at getUserMedia(), which was deprecated and then removed in the same way as geolocation, we provide much more accurate messaging: "getUserMedia() no longer works on insecure origins. To use this feature, you should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details." I'll modify the geolocation message to match that. I also agree with rbyers that this should not be an exception as that would semantically break many sites. From the application's perspective, his is treated indistinguishably from a user denying permission, so the case should already by handled.
,
May 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f08d3200d37b28a9de02d28f7396e99966827551 commit f08d3200d37b28a9de02d28f7396e99966827551 Author: jww <jww@chromium.org> Date: Fri May 06 19:35:17 2016 Fix geolocation removal from insecure contexts console message The console message when the geolocation API is used in insecure messages ambiguously says it is deprecated when, in fact, it has been removed at this point. This updates the message to match getUserMedia() and say it is removed. BUG= 605938 R=rbyers@chromium.org Review-Url: https://codereview.chromium.org/1942003002 Cr-Commit-Position: refs/heads/master@{#392126} [modify] https://crrev.com/f08d3200d37b28a9de02d28f7396e99966827551/third_party/WebKit/LayoutTests/http/tests/security/powerfulFeatureRestrictions/old-powerful-features-on-insecure-origin-expected.txt [modify] https://crrev.com/f08d3200d37b28a9de02d28f7396e99966827551/third_party/WebKit/Source/core/frame/Deprecation.cpp [modify] https://crrev.com/f08d3200d37b28a9de02d28f7396e99966827551/third_party/WebKit/Source/core/frame/UseCounter.h [modify] https://crrev.com/f08d3200d37b28a9de02d28f7396e99966827551/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp [modify] https://crrev.com/f08d3200d37b28a9de02d28f7396e99966827551/tools/metrics/histograms/histograms.xml
,
May 23 2016
,
May 23 2016
,
Sep 22 2017
,
Sep 22 2017
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by pfeldman@chromium.org
, Apr 22 2016Owner: jww@chromium.org
Status: Assigned (was: Unconfirmed)