Testing Geolocation from localhost or equivalent

8,632 views
Skip to first unread message

andyg...@gmail.com

unread,
May 8, 2015, 6:12:07 PM5/8/15
to securi...@chromium.org
What's the recommendation for all front-end developers testing Geolocation from localhost or its equivalent going forward?

I've read the Deprecating Powerful Features on Insecure Origins documentation and related FAQs that apply to following error but I'm confused because the FAQ says that HTTP will still be allowed, but it doesn't clarify the use of localhost:

"getCurrentPosition() and watchPosition() are deprecated on insecure origins, and support will be removed in the future. You should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details."

I believe this applies to development on origins related to or similar to the following when served locally:

localhost/
web.local/
192.168.x.x/
etc.

Not all front-end dev shops will be able to remote into a non-local server for development and testing. Furthermore, this potentially places a significant burden to use multiple machines or production/external web servers for testing and continuous integration development patterns where a single machine is significantly more desirable.

Additional Reference: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/marking-http-as-non-secure

Lucas Garron

unread,
May 8, 2015, 6:13:50 PM5/8/15
to andyg...@gmail.com, securi...@chromium.org

andyg...@gmail.com

unread,
May 9, 2015, 11:09:23 AM5/9/15
to securi...@chromium.org, lga...@google.com
Excellent. Thanks for clarifying.

andyg...@gmail.com

unread,
Sep 1, 2015, 11:12:56 AM9/1/15
to Security-dev, andyg...@gmail.com, lga...@google.com
Localhost testing is currently failing with "POSITION_UNAVAILABLE" messages and timeout errors when using desktop Chrome and Chrome Canary. This has been verified on a number of different networks.

Chrome version: 44.0.2403.157
Chrome Canary version: 47.0.2493.0 canary (64-bit)

Please advise on whether insecure localhost testing capabilities have been disabled in Chrome?

PhistucK

unread,
Sep 1, 2015, 11:19:43 AM9/1/15
to andyg...@gmail.com, Security-dev, Lucas Garron
Does it work on secure, external hosts?


PhistucK


To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.

Joel Weinberger

unread,
Sep 1, 2015, 12:56:12 PM9/1/15
to PhistucK, andyg...@gmail.com, Security-dev, Lucas Garron
If it doesn't work on localhost, that would be a bug. As Lucas mentioned, localhost should always be supported as a 'Privileged Context,' but in any case, we haven't made any changes to the support of Geolocation yet, so anything that disabled its support would be a bug.
--Joel

andyg...@gmail.com

unread,
Sep 1, 2015, 1:23:28 PM9/1/15
to Security-dev, andyg...@gmail.com, lga...@google.com
@PhistucK no, it does not seem to be working from HTTPS in Chrome. Chrome Canary isn't returning anything.

To clarify:
- Using getCurrentPosition()
- The position object is being returned
- position.coords.latitude always seems to equal zero
- position.coords.longitude always seems to equal zero
- position.coords.accuracy is returning a value

PhistucK

unread,
Sep 1, 2015, 1:26:52 PM9/1/15
to andyg...@gmail.com, Security-dev, Lucas Garron
Then file an issue at crbug.com, if you cannot find an existing similar issue there.


PhistucK

andyg...@gmail.com

unread,
Sep 1, 2015, 1:42:58 PM9/1/15
to Security-dev, andyg...@gmail.com, lga...@google.com
Issue opened: https://code.google.com/p/chromium/issues/detail?id=527103
Reply all
Reply to author
Forward
0 new messages