Google Restricts GeoLocation to HTTPS in Chrome Version 50
Geolocation only available over HTTPS in Chrome 50.
With the release of Chrome v50, the Geolocation API has officially been restricted to HTTPS-only. What does this mean? If you want your website to be able to request the user’s location over the internet, you need to serve your site over HTTPS.
Attempting to get the user’s location over HTTP will simply fail. The user will not ever know you wanted to request their location (unless they happen to have the developer console open).
Remember that using Geolocation results in a permissions prompt. Adding HTTPS support to your site does not automatically give you permission to get the user’s location. They still get to choose to allow or block that information.
For any developers who may be panicking about testing or prototyping: Don’t worry! HTTPS is not the only secure origin. Anything done on localhost is also considered secure origins (for a full list of secure origins click here).
Powerful Features & Secure Origins
This is part of a bigger campaign by Google Chrome’s Security team known as “Deprecating Powerful Features on Insecure Origins”. That’s a mouthful, huh? In plain language, this means that connections which cannot be trusted will not have full access to certain browser functionality.
These “powerful features” either handle sensitive user data (personally-identifiable information, user credentials, payment information, etc), or make changes to the user’s experience that should only be done over secure (and authenticated) connections. This set of features includes: device motion / orientation, geolocation, and accessing the user’s camera and microphone).
So far, only Geolocation and getUserMedia (access to webcam / microphone) have been given the HTTPS-only treatment. We put together a handy chart (look below) showing the features slated to go secure origins-only for reference.
Google Chrome’s Security team continually evaluates the real-world use and posts warnings to their blink-dev mailing list before removing any features, which makes predicting difficult. But if you are on the lookout you should never be left in the dark.
|Device motion / orientation
|Encrypted Media Extensions (EME)
|Yes (Chrome 50)|
(access to users’s camera and microphone)
|Yes (Chrome 47)|
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown