According to the specification¹, when the 'maximumAge' parameter of a call to getCurrentPosition() is not explicitly set, its value defaults to 0, which instructs the user agent to request a new position, and not return a cached one.
However pages that call getCurrentPosition() with a maximumAge parameter > 0 might get a cached location, without your explicit consent. That said, I had a look at the code at http://www.where-am-i.net/, and it appears getCurrentPosition() is called without a maximumAge parameter, so it should not disclose a cached location, instead it should always try to get a fresh position. Assuming this is correctly implemented in chromium (which the browser’s web engine uses under the hood), the issue could be somewhere else in the stack (maybe the location provider returning a stale position with a fresh timestamp?). This is merely a conjecture, more investigation is needed. I’m tentatively adding an ubuntu-location-service task. ¹ https://dev.w3.org/geo/api/spec-source.html#position_options_interface ** Also affects: location-service (Ubuntu) Importance: Undecided Status: New ** Changed in: webbrowser-app (Ubuntu) Status: New => Invalid ** Also affects: oxide Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu WebApps bug tracking, which is subscribed to Oxide. https://bugs.launchpad.net/bugs/1551686 Title: browser leaks old location data to web pages Status in Oxide: New Status in location-service package in Ubuntu: New Status in webbrowser-app package in Ubuntu: Invalid Bug description: visit a web page that requests your current location, for example http ://where-am-i.net it prompts to get permission to share the current location, hit allow and it will probably show where you were a few hours ago as the GPS will have a cached location. Refreshing won't update the location, only applications that subscribe to updates cause the GPS to get a new location. The problem here is that I authorised the web page to know where I am now. I am OK with giving my current position to the web page requesting it. I *didn't* authorise it to know where I was yesterday or this morning, and I might have reasons to not want it to know where my house is, even though I am fine with it knowing where I am right now. The web browser app should not reveal GPS locations that are older than the decision to allow location to be shared with the page. To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1551686/+subscriptions -- Mailing list: https://launchpad.net/~ubuntu-webapps-bugs Post to : ubuntu-webapps-bugs@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-webapps-bugs More help : https://help.launchpad.net/ListHelp
