Google Restricts GeoLocation to HTTPS in Chrome Version 50
 Google Restricts GeoLocation to HTTPS in Chrome Version 50
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
April 19, 2016 Comments closed

Google Restricts GeoLocation to HTTPS in Chrome Version 50

in Industry Lowdown

Geolocation only available over HTTPS in Chrome 50.

With the release of Chrome v50, the Geolocation API has officially been restricted to HTTPS-only. What does this mean? If you want your website to be able to request the user’s location over the internet, you need to serve your site over HTTPS.

Attempting to get the user’s location over HTTP will simply fail. The user will not ever know you wanted to request their location (unless they happen to have the developer console open).

GeoLocation

Remember that using Geolocation results in a permissions prompt. Adding HTTPS support to your site does not automatically give you permission to get the user’s location. They still get to choose to allow or block that information.

For any developers who may be panicking about testing or prototyping: Don’t worry! HTTPS is not the only secure origin. Anything done on localhost  is also considered secure origins (for a full list of secure origins click here).

Powerful Features & Secure Origins

This is part of a bigger campaign by Google Chrome’s Security team known as “Deprecating Powerful Features on Insecure Origins”. That’s a mouthful, huh? In plain language, this means that connections which cannot be trusted will not have full access to certain browser functionality.

These “powerful features” either handle sensitive user data (personally-identifiable information, user credentials, payment information, etc), or make changes to the user’s experience that should only be done over secure (and authenticated) connections. This set of features includes: device motion / orientation, geolocation, and accessing the user’s camera and microphone).

So far, only Geolocation and getUserMedia (access to webcam / microphone) have been given the HTTPS-only treatment.  We put together a handy chart (look below) showing the features slated to go secure origins-only for reference.

Google Chrome’s Security team continually evaluates the real-world use and posts warnings to their blink-dev mailing list before removing any features, which makes predicting difficult. But if you are on the lookout you should never be left in the dark.

 

Feature HTTPS Only?
Device motion / orientation

 

 Not yet
Encrypted Media Extensions (EME)

 

 Not yet
Fullscreen

 

 Not yet
Geolocation

 

 Yes (Chrome 50)
getUserMedia
(access to users’s camera and microphone)		 Yes (Chrome 47)
AppCache

 

 Not yet

Author

Vincent Lynch

The SSL Store’s encryption expert makes even the most complex topics approachable and relatable.

Recent Posts

Follow Us

Free Ebooks

eBook
Email Spoofing Defense 101 (A 5-Step Guide)

Download Now

eBook
Certificate Lifecycle Management Best Practices Guide

Download Now

eBook
10 Code Signing Best Practices

Download Now