Intent to Remove: Insecure origin usage of geolocation
Primary eng (and PM) emails
Eng: j...@chromium.org
Link to “Intent to Deprecate” thread
https://groups.google.com/a/chromium.org/d/msg/blink-dev/2LXKVWYkOus/gT-ZamfwAKsJ
Summary
This is a continuation of applying the concepts in http://www.w3.org/TR/powerful-features/ to features that have already shipped and which do not meet the (new, not present at the time) requirements. This is an intent to remove specifically for geolocation on insecure origins.
Motivation
This is a large privacy risk to users as it allows a passive attacker to sniff any geolocation obtained from this API, and it allows an active attacker to steal geolocation information from a trusted but insecure site. Additionally, use of geolocation on insecure origins is generally low, right on the removal threshold, at 0.0319% of page loads. Given the low use and the success of removing getUserMedia() from insecure origins, the time seems right to improve our users' privacy and security here.
Compatibility Risk
This change provides a moderate amount of compatibility risk in so far as insecure origins that use this API will not be able to use it in the future. However, the API already has a "deny" state that these users must handle, and this change will just start returning "deny", so it should not cause bugs per se.
Firefox has announced their general intention to remove geolocation and similar features from insecure origins, but I do not believe they have done so yet.
Usage information from UseCounter
On insecure origins (to remove):
https://www.chromestatus.com/metrics/feature/popularity#GeolocationInsecureOrigin
On secure origins (to remain): https://www.chromestatus.com/metrics/feature/popularity#GeolocationSecureOrigin
OWP launch tracking bug
https://crbug.com/561641 for geolocation in particular, and https://crbug.com/520765 for broader removal of old powerful features on insecure origins.
Entry on the feature dashboard
I believe this fits under the already existing geolocation status: https://www.chromestatus.com/features/6348855016685568
I support this, in general I think we should switch one of the "powerful features" per release to be behind the guard. That's slow enough to let people react, but fast enough to force change and show we're serious. :)
For RAPPOR data on use on insecure domains, there's only one that has enough data to pop out, but it's at a relatively low proportion. So while we can (and should) reach out to them, I don't believe that would make a dent in the insecure numbers.
-Joel
-- Mounir
Fair enough all around. I'll proceed with the CL then.
-Joel
+jww explicitly