Monday, May 10, 2010

HTML5 Geolocation API is scaring me

What happens if you try to open the following HTML code in your Firefox (or any other browser that supports Geolocation API)?

<html>
<head>
  <script type="text/javascript">
    if (navigator.geolocation) {
      navigator.geolocation.getCurrentPosition(function(position) {  
        document.location.href =
          "http://maps.google.com/maps?q=" 
          + position.coords.latitude + ",+" 
          + position.coords.longitude
          + "+(I'm%20here!)&iwloc=A&hl=en";
      });
    }
  </script>
</head>
<body>
</body>
</html>

I was pretty scared when I've seen my own house. Actually, I was informed about the fact that the site "wants to know my location", but isn't it just as a matter of courtesy by Firefox!? May be I'm just wrongfully paranoid :-/

20 comments:

Sjan said...

Interesting, but where does the browser get its location information (assuming you are not talking about the browser on your GPS phone.)

This puts me about 1/4 mile off my actual location. And without my wireless AP listed in skyhook that seems like a pretty good trick.

Evert said...

Any browser that uses it, will ask you beforehand.

It might be interesting for you to know that your location is figured out (often) based on nearby wifi hotspots. It will check a couple of your networks and triangulates it back to your house.

Michael said...

@Sjan, no I don't have any GPS or cellular antenna on my computer :) Read How does it work in Firefox, for more information.

Tiran Kenja said...

Yeah. I guess it is a courtesy that Firefox asks you if you want to share the location. But I don't know of any browser that don't. And if there is one, I'd guess there is likely other reasons not to use it as well.

exceptione said...

I get

location is undefined
file:///C:/Program%20Files/Mozilla%20Firefox/components/NetworkGeolocationProvider.js
Line 91


ff: 3.6.3

Jacek Pospychala said...

haha, I can see your house too :-D
- Robber


but following Firefox explanation pretty much any website can do this on their own by using Google geolocation services directly rather than via HTML API. People often overestimate their anonymity, so I wonder how much more cautious would they be if they actually saw themselves all the time on the map :-)

ma_il said...

Wow, that's scarily accurate. It points exactly to my office building, too.

jamie said...

Well testing it on my FF it had the marker about 5 miles from my house. That's pretty much what I get from most geolocation stuff.

Ian said...

Nowhere near my place. However, it's the same location that other Geo Location services place my IP address. So in my case, it's definitely using my IP address.

SeeSchlo├č said...

I'm not impressed, this puts me in Seattle when I'm actually in northern France. Maxmind's geoip finds my city just fine.

tttony said...

Well, the GeoLocation isn't accurate, just show the town where you live but not your house with accurate coordenates, in fact some ISP give IP from another city of you country

Michael said...

@SeeSchlo├č, @tttony, you should read more about Geolocation API, especially how your browser uses Wi-Fi access points around to determine your location (in case your computer has a wireless antenna, of course). That can be pretty accurate.

swaroop said...

If you read the HTML5 Spec carefully

http://dev.w3.org/geo/api/spec-source.html#security

You can see that any Browsers implementing this has to request the user for an explicit permission before it shares using the API.

Wouldn't it be good that the "Apps you trust" provide a better functionality (say movie tickets recognize the closes cinemas) saving a lot of your time.

For the rest of the mischievous websites, they already keep some sort of a tracking cookie/JS to get your location. Its just browsers such as Firefox use Google's Location APIs for built-in accuracy before giving out a coordinate.
http://www.mozilla.com/en-US/firefox/geolocation/

Michael said...

@swaroop, I don't have a problem with browsers that conform to HTML5 standard. I have a problem with the service, which records a MacAddress -> GeoLocation mapping without knowledge of access points holders.

Christian Harms said...

If you want to get the geo location of a visitor without the security warning you have to use an (not so accurate) IP-GEO Provider - see more at ip-geo.appspot.com.

Carl said...

Mine goes to a high school Taiwan, while I live in EUROPE (and it's Sunday, no school)

Extremely accurate, huh?

fukawi2 said...

Sweet f*** all happens in my browser, just a blank page (Chromium on Arch Linux)

fukawi2 said...

Sweet f*** all happens in my browser, just a blank page (Chromium on Arch Linux)

geetha said...

wonderful information, I had come to know about your blog from my friend nandu , hyderabad,i have read atleast 7 posts of yours by now, and let me tell you, your website gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanks a ton once again, Regards, Html5 online trainingamong the Html5 in Hyderabad. Classroom Training in Hyderabad India

ALAGU SUNDARAM said...

Great article. Useful information.
Thanks for sharing.
http://www.cavinitsolutions.com/