Geolocation only available over HTTPS in Chrome 50.
With the release of Chrome v50, the Geolocation API has officially been restricted to HTTPS-only. What does this mean? If you want your website to be able to request the user’s location over the internet, you need to serve your site over HTTPS.
Attempting to get the user’s location over HTTP will simply fail. The user will not ever know you wanted to request their location (unless they happen to have the developer console open).
Remember that using Geolocation results in a permissions prompt. Adding HTTPS support to your site does not automatically give you permission to get the user’s location. They still get to choose to allow or block that information.
For any developers who may be panicking about testing or prototyping: Don’t worry! HTTPS is not the only secure origin. Anything done on localhost is also considered secure origins (for a full list of secure origins click here).
Powerful Features & Secure Origins
This is part of a bigger campaign by Google Chrome’s Security team known as “Deprecating Powerful Features on Insecure Origins”. That’s a mouthful, huh? In plain language, this means that connections which cannot be trusted will not have full access to certain browser functionality.
These “powerful features” either handle sensitive user data (personally-identifiable information, user credentials, payment information, etc), or make changes to the user’s experience that should only be done over secure (and authenticated) connections. This set of features includes: device motion / orientation, geolocation, and accessing the user’s camera and microphone).
So far, only Geolocation and getUserMedia (access to webcam / microphone) have been given the HTTPS-only treatment. We put together a handy chart (look below) showing the features slated to go secure origins-only for reference.
Google Chrome’s Security team continually evaluates the real-world use and posts warnings to their blink-dev mailing list before removing any features, which makes predicting difficult. But if you are on the lookout you should never be left in the dark.
|Device motion / orientation
|Encrypted Media Extensions (EME)
|Yes (Chrome 50)|
(access to users’s camera and microphone)
|Yes (Chrome 47)|