On Wed, Oct 26, 2016 at 6:17 AM, Chris Peterson <cpeter...@mozilla.com> wrote:
> On 10/25/2016 11:43 AM, Eric Rescorla wrote: > >> Setting aside the policy question, the location API for mobile devices >> generally >> gives a much more precise estimate of your location than can be obtained >> from the upstream network provider. For instance, consider the case of the >> ISP upstream from Mozilla's office in Mountain view: they can only >> localize >> a user to within 50 meters or so of the office, whereas GPS is accurate to >> a few meters. And of course someone who is upstream from the ISP may just >> have standard geo IP data. >> > > Assuming every MITM and website already has approximate geo IP location, > we could fuzz the navigator.getCurrentPosition() result for HTTP sites. > That would leak no more information than passive geo IP and would not break > HTTP websites using the geolocation API. This turns out to be incredibly hard. https://tools.ietf.org/id/draft-thomson-geopriv-location-obscuring-03.html If you want to do something like this, probably the best way to do it would be to report the GeoIP from some public database based on the apparent current public IP. -Ekr > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
