Google Restricts GeoLocation to HTTPS in Chrome Version 50
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Google Restricts GeoLocation to HTTPS in Chrome Version 50

Geolocation only available over HTTPS in Chrome 50.

With the release of Chrome v50, the Geolocation API has officially been restricted to HTTPS-only. What does this mean? If you want your website to be able to request the user’s location over the internet, you need to serve your site over HTTPS.

Attempting to get the user’s location over HTTP will simply fail. The user will not ever know you wanted to request their location (unless they happen to have the developer console open).

GeoLocation

Remember that using Geolocation results in a permissions prompt. Adding HTTPS support to your site does not automatically give you permission to get the user’s location. They still get to choose to allow or block that information.

For any developers who may be panicking about testing or prototyping: Don’t worry! HTTPS is not the only secure origin. Anything done on localhost  is also considered secure origins (for a full list of secure origins click here).

Powerful Features & Secure Origins

This is part of a bigger campaign by Google Chrome’s Security team known as “Deprecating Powerful Features on Insecure Origins”. That’s a mouthful, huh? In plain language, this means that connections which cannot be trusted will not have full access to certain browser functionality.

These “powerful features” either handle sensitive user data (personally-identifiable information, user credentials, payment information, etc), or make changes to the user’s experience that should only be done over secure (and authenticated) connections. This set of features includes: device motion / orientation, geolocation, and accessing the user’s camera and microphone).

So far, only Geolocation and getUserMedia (access to webcam / microphone) have been given the HTTPS-only treatment.  We put together a handy chart (look below) showing the features slated to go secure origins-only for reference.

Google Chrome’s Security team continually evaluates the real-world use and posts warnings to their blink-dev mailing list before removing any features, which makes predicting difficult. But if you are on the lookout you should never be left in the dark.

 

Feature HTTPS Only?
Device motion / orientation

 

Not yet
Encrypted Media Extensions (EME)

 

Not yet
Fullscreen

 

Not yet
Geolocation

 

Yes (Chrome 50)
getUserMedia
(access to users’s camera and microphone)
Yes (Chrome 47)
AppCache

 

Not yet
Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *