On 10/25/2016 11:43 AM, Eric Rescorla wrote:
Setting aside the policy question, the location API for mobile devices generally gives a much more precise estimate of your location than can be obtained from the upstream network provider. For instance, consider the case of the ISP upstream from Mozilla's office in Mountain view: they can only localize a user to within 50 meters or so of the office, whereas GPS is accurate to a few meters. And of course someone who is upstream from the ISP may just have standard geo IP data.
Assuming every MITM and website already has approximate geo IP location, we could fuzz the navigator.getCurrentPosition() result for HTTP sites. That would leak no more information than passive geo IP and would not break HTTP websites using the geolocation API.
_______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
