TL;DR the Geolocation API will be restricted to secure contexts in
Firefox 55 (due in August).
Hi there,
as a follow-up to [1], we're moving forward to restrict Geolocation
API only to secure contexts.
This is due to a number of important reasons:
1. Chrome and Safari have already deprecated insecure geo requests
last year (Firefox is the only major browser still allowing them)
2. We've deprecated "Insecure HTTP" in 2015 [2]
3. It's easier than ever to get a valid SSL certificate
4. It's cheaper than ever to get a valid SSL certificate (actually it's free)
Even though we've landed all the necessary groundwork in [3], this is
gonna be a slow rollout to give everybody plenty of time to adjust.
In Firefox 54 (currently in Nightly): the insecure Geolocation API are
protected by the preference "geo.security.allowinsecure" that defaults
to true on all the channels (true = accept insecure requests = no
change).
Firefox 54 is due in june [4].
In Firefox 55 we will flip the switch and all the requests to
navigator.geolocation.getCurrentPosition() and watchPosition() will
only be fulfilled if in a secure context.
Firefox 55 is due in august.
The tracking bug is [5].
[1]
http://bit.ly/2jZYXkK
[2]
https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
[3]
http://bugzil.la/1269531
[4]
https://wiki.mozilla.org/RapidRelease/Calendar
[5]
http://bugzil.la/1072859
--
Bye,
Michelangelo