agup-esristaff

Using a secure origin with browser-based Geolocation

Blog Post created by agup-esristaff Employee on May 11, 2015

Many folks are starting to notice a warning message in the latest versions of Chrome when running apps that use the browser's JavaScript Geolocation API. The warning says "getCurrentPosition() and watchPosition() are deprecated on insecure origins, and support will be removed in the future. You should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details."

 

There are several things to know about this message. You will still be able to test Geolocation locally on Chrome without needing to install a security certificate on your development machine when using patterns such as "localhost", "web.local", "192.168.x.x" and similar since they are considered Potentially Trustworthy. Additionally, if you are using blob:, file: and filesystem: URLs they will also continue to work as long as they were created in a potentially secure origin themselves. However, if you have apps that use data: and javascript: then those origins are not considered potentially secure and will most likely be blocked.

 

Chrome and Google have been consistently sending a message that the web needs to continue moving towards HTTPS for all traffic. It's reasonable to assume that at some point in the near future Chrome (as well as other browser vendors) will require a location-based JavaScript app hosted on a public-facing, production server to be served up via HTTPS.

 

Additional Reading

 

Google Web Security Group: Google Groups

The Chromium Projects: Prefer Secure Origins For Powerful New Features - The Chromium Projects

W3C: Secure Contexts

Outcomes