GeoLocation API – Chrome / Safari – Permission management and Visual Differences

GeoLocation API is a very sensitive API when it comes to Privacy concerns. Yes all the browsers request user for the permission to share the information. But browsers has different level of information to alert the user and management these permissions. We are going see that now. And we feel that that “Private Browsing” mode is mostly anonymous but that is not the case most of the time. We will just compare the differences between chrome and safari browser behaviour.

PoC to access the GeoLocation Information:

<html>
    <title>
        GeoLocation API Example
    </title>
    <script type="text/javascript">
        function successCallback(position) {
          // By using the ‘maximumAge’ option above, the position
          // object is guaranteed to be at most 10 minutes old.
          // By using a ‘timeout’ of 0 milliseconds, if there is
          // no suitable cached position available, the user agent
          // will aynchronously invoke the error callback with code
          // TIMEOUT and will not initiate a new position
          // acquisition process.
          alert (position.coords.latitude + "       " + position.coords.longitude);
        }
        function errorCallback(error)
        {
            switch(error.code)
            {
                case error.TIMEOUT:
                    alert (‘Timeout’);
                    break;
                case error.POSITION_UNAVAILABLE:
                    alert (‘Position unavailable’);
                    break;
                case error.PERMISSION_DENIED:
                    alert (‘Permission denied’);
                    break;
                case error.UNKNOWN_ERROR:
                    alert (‘Unknown error’);
                    break;
            }
        }
        navigator.geolocation.getCurrentPosition(successCallback,errorCallback);
    </script>
    <body>
        <h1>GeoLocation API Example </h1>
    </body>
</html>

Chrome:

Let’s access this PoC from Google Chrome 16 browser.

image

Chrome ask for “One time” Permission. Once you give the permission it is stored for ever and yes you can revoke that in the configuration section.

image

Under the “Location” section if you click the “Manage exceptions” button, you can see the list of permissions we have given till now.

image

Most of the time what happens is, we give permission to a site once but we forget that this website keep tracking our location. Does any user agent show any kind of indication that “This site is reading our GeoLocation Information” ? Yes. As far as i know, only Chrome shows an indication. Ok. We will access that URL one more time.

image

 

Safari

Let’s access this PoC from Apple Safari 5.1.2 browser.

image

Safari provides very limited option in managing these permission. Safari’s permission management is very simple.

image

Safari does not allow you to change the permission for specific site but safari has one interesting option of remembering it for One day.

Let’s access the same link one more time through safari and see whether safari shows any indication of this Privacy Specific information.

image

Safari does not show any indication about this privacy specific information sharing.

 

Summary
    1. Google Chrome can add "remember for one day" option.
    2. Safari should improve it’s permission management.
    3. Safari should show an indication about the "GeoLocation" information sharing.
    4. Educate the user about this new indication.

It took many years for browser vendors to show almost similar visual indication for the users about site trustworthiness (i.e SSL certificate). May be in the future, when you access a simple website we may have to check at least ten different visual indication. Browser vendors should work together in creating common visual indicators.

Advertisements
This entry was posted in Chrome, Safari and tagged , , , , . Bookmark the permalink.

One Response to GeoLocation API – Chrome / Safari – Permission management and Visual Differences

  1. Pingback: Does browser private mode share the GeoLocation information ? | Source Code Auditing, Reversing, Web Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s