ubuntu-webapps-bugs team mailing list archive
-
ubuntu-webapps-bugs team
-
Mailing list archive
-
Message #03846
[Bug 1551686] Re: browser leaks old location data to web pages
According to the specification¹, when the 'maximumAge' parameter of a
call to getCurrentPosition() is not explicitly set, its value defaults
to 0, which instructs the user agent to request a new position, and not
return a cached one.
However pages that call getCurrentPosition() with a maximumAge parameter
> 0 might get a cached location, without your explicit consent.
That said, I had a look at the code at http://www.where-am-i.net/, and
it appears getCurrentPosition() is called without a maximumAge
parameter, so it should not disclose a cached location, instead it
should always try to get a fresh position.
Assuming this is correctly implemented in chromium (which the browser’s
web engine uses under the hood), the issue could be somewhere else in
the stack (maybe the location provider returning a stale position with a
fresh timestamp?). This is merely a conjecture, more investigation is
needed. I’m tentatively adding an ubuntu-location-service task.
¹ https://dev.w3.org/geo/api/spec-source.html#position_options_interface
** Also affects: location-service (Ubuntu)
Importance: Undecided
Status: New
** Changed in: webbrowser-app (Ubuntu)
Status: New => Invalid
** Also affects: oxide
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
WebApps bug tracking, which is subscribed to Oxide.
https://bugs.launchpad.net/bugs/1551686
Title:
browser leaks old location data to web pages
Status in Oxide:
New
Status in location-service package in Ubuntu:
New
Status in webbrowser-app package in Ubuntu:
Invalid
Bug description:
visit a web page that requests your current location, for example http
://where-am-i.net it prompts to get permission to share the current
location, hit allow and it will probably show where you were a few
hours ago as the GPS will have a cached location. Refreshing won't
update the location, only applications that subscribe to updates cause
the GPS to get a new location.
The problem here is that I authorised the web page to know where I am
now. I am OK with giving my current position to the web page
requesting it. I *didn't* authorise it to know where I was yesterday
or this morning, and I might have reasons to not want it to know where
my house is, even though I am fine with it knowing where I am right
now.
The web browser app should not reveal GPS locations that are older
than the decision to allow location to be shared with the page.
To manage notifications about this bug go to:
https://bugs.launchpad.net/oxide/+bug/1551686/+subscriptions