Per https://w3c.github.io/webappsec-secure-contexts/, we are deprecating and then removing geolocation from insecure contexts. Geolocation is a powerful feature that allows access to the user's precise location, which is a powerful privilege escalation for HTTP content injection. This will remove that attack vector by only allowing it over HTTPS.
Documentation
- Part of the larger effort to remove powerful features on insecure origins:
- https://chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins
- blink-dev discussion and API owner approval:
- https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/ylz0Zoph76A/C1VNAhJ8BQAJ
Specification
Status in Chromium
Removed (tracking bug) in:
- Chrome for desktop release 50
Consensus & Standardization
After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.
- Positive
- No signal
- No signal
- Mixed signals
Owner
Last updated on 2020-11-09