Firefox 55, Due In August, Will Require HTTPS for Geolocation
A future version of Mozilla’s browser, Firefox 55, which is due out in August, will entirely disable Geolocation on HTTP pages, meaning that you now need HTTPS for Geolocation. Websites without encryption will no longer be able to ask for a user’s location.
In Firefox 55, geolocation requests over HTTP will fail silently – the user will not even know the site was trying to request that information. Developers will be happy to know that local content (localhost and file:// paths) are included in Mozilla’s definition of a Secure Context, and will still be allowed to request geolocation. Encrypted WebSocket connections (wss://) will also be allowed to make requests.
Geolocation is among a set of browser features that expose sensitive and personally identifying information about a user, which pose a greater safety and privacy risk. As a result, these features have been some of the earliest functionality to be restricted and then entirely disabled over HTTP, due to the protocol’s lack of encryption or authentication.
By the way, this is only the beginning. Browsers will then move on to other features, with the end-goal of ditching HTTP altogether.
Geolocation has already been disabled in Chrome (for nearly a year) and Safari. Firefox lagged behind the other browsers because internal data showed a high proportion of geolocation requests came from HTTP sites, and there were concerns over breaking too many pages.
Breakage is a moot point now, as most have had to deal without HTTP functionality for some time. For most sites, Firefox’s change will likely not be a problem.
If you are a developer and want to start testing this behavior now, you can do it in Firefox Nightly if you change the following flag:
- Paste about:config into the address bar and hit enter.
- If you see the “This Might Void Your Warranty” page, click the blue “I accept the risk!” button.
- In the Search box at the top, paste geo.security.allowinsecure
- Double click the setting to change it to “false.”
- Done! Now when you visit HTTP pages requesting your location, the requests will fail. You can test this behavior at http://permission.site/.