'<Geolocation API> "granted" on Firefox BUT "denied" on Chrome

Greetings,

I am facing the following issue; question will follow after.

I have a production application using the Geolocation API from the navigator:

  • Yes => the app is served over HTTPS
  • Yes => all third-party sources are served over HTTPS
  • Yes => I have granted geolocation on browsers

The results I get are:

  • localhost => geolocation is OK on both Firefox & Chrome
  • production => geolocation is OK on Firefox, but not OK on Chrome
  • Firefox => before granting geolocation, I get the browser pop-up asking me to allow or block geolocation; OK
  • Chrome => either before or after granting geolocation, I get no such browser pop-up

On Chrome:

  • Permissions API => tells me that geolocation is denied
  • Geolocation's getCurrentPosition => tells me that Geolocation has been disabled in this document by permissions policy.

More info:

  • tech stack => Vue3 app hosted on Netlify
  • production version => there are several subdomains according to the city selected by user
  • the production app is actually for demo purpose; thus I cannot make any screenshot

Now, here is the question:

What could make the whole work without any issue on Firefox, and could also displease Chrome?

Any help is highly appreciated.

Thanks much in advance.

google-chromefirefoxpermissionsgeolocationnavigator


Solution 1:[1]

Problem solved

I feel grateful to a wonderful colleague, whose pair of fresh eyes have permitted to look at the right place: the _headers file!

This file contained:

Permissions-Policy: fullscreen=(), geolocation=()

In the Permissions-Policy, you indeed write what is permitted, but you need to precise what you permit!

https://www.w3.org/TR/permissions-policy-1/#policy-controlled-feature :

SecureCorp Inc. wants to disable use of Fullscreen and Geolocation APIs within their application. It can do so by delivering the following HTTP response header to define a permissions policy:

Permissions-Policy: fullscreen=(), geolocation=()

By specifying an empty origin list, the specified features will be disabled for all documents, including nested documents, regardless of their origin.

SecureCorp Inc. wants to completely disable use of the Geolocation API within all browsing contexts except for its own origin and those whose origin is "https://example.com", even in the presence of an attacker who can embed their own iframes on SecureCorp’s pages. It can do this by delivering the following HTTP response header to define a restricted permissions policy for Geolocation:

Permissions-Policy: geolocation=(self "https://example.com")

Firefox seems to ignore this however, hence the fact it was working on this browser.

Now in my _headers file:

Permissions-Policy: fullscreen=(), geolocation=(self)
Feature-Policy: geolocation 'self'

Cheers.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Hide scroll bar, but while still being able to scroll

How to set Selenium Python WebDriver default timeout?

setUp method: Failed to connect to binary FirefoxBinary(/usr/bin/firefox) on port 7055; process output follows:

How to manually send HTTP POST requests from Firefox or Chrome browser

Adding items in DOM with jQuery without browser scrollbar update

Is there a workaround for Firefox 5 and Chrome ”setInterval()” and “setTimeout()” in inactive tab

Borders not shown in Firefox with border-collapse on table, position: relative on tbody, or background-color on cell

Saving ArrayBuffer in IndexedDB

Unable to connect to host 127.0.0.1 on port 7055 after 45000 ms. with FF version 26.0 and selenium standalone jar 2.39

Selenium 3 compatibility issue with FireFox 50? Can't get any iframe

Loadrunner 12 - TruClient IE & FireFox Issues

How to increase local storage space to unlimited for a firefox add-ons?

Wrong value for window.innerWidth during onload event in Firefox for Android?

How to disable scroll on HTML5 date inputs having a webshim fallback in

AttributeError: 'module' object has no attribute 'Firefox'