Self-Review Questionnaire for Geolocation: Security and Privacy

[siusin]

Self-Review Questionnaire: Security and Privacy

The full questionnaire is at https://w3c.github.io/security-questionnaire/.

For your convenience, a copy of the questionnaire's questions is included here in Markdown, so you can easily include your answers in an explainer.

---

This review is for the following spec: Geolocation - W3C REC 20250818, additions and corrections since the dated last REC 2022/09/01 are listed in the SoTD of the spec.

1. What information does this feature expose, and for what purposes?
   Geolocation provides access to geographical location information associated with the hosting device. For more details, see Section 1. Introduction.

Features in this version that may be of interest include:

• Addition: support geolocation emulation (#183)
• Addition: Define units for accuracy (#162)

2. Do features in your specification expose the minimum amount of information
   necessary to implement the intended functionality?
   This question is addressed in Section 3.1. User Consent.
   The additions and corrections in this version do not affect this question.

3. Do the features in your specification expose personal information,
   personally-identifiable information (PII), or information derived from
   either?
   Yes.

4. How do the features in your specification deal with sensitive information?
   This question is addressed in Section 3. Privacy.
   The additions and corrections in this version do not affect this question.

5. Does data exposed by your specification carry related but distinct
   information that may not be obvious to users?
   This question is addressed in Section 3.1. User Consent.
   The additions and corrections in this version do not affect this question.

6. Do the features in your specification introduce state
   that persists across browsing sessions?
   User Agents may persist the permission state described in Section 3.4. Checking permission to use the API between browsing sessions. Refer to the "Privacy" section of the "Permissions" specification for more details.

7. Do the features in your specification expose information about the
   underlying platform to origins?
   Yes, refer to question 1.

8. Does this specification allow an origin to send data to the underlying
   platform?
   No.
   The additions and corrections in this version do not affect this question.

9. Do features in this specification enable access to device sensors?
   Common sources of location information are explained in Section 1. Introduction.
   The additions and corrections in this version do not affect this question.

10. Do features in this specification enable new script execution/loading mechanisms?
    No.

11. Do features in this specification allow an origin to access other devices?
    No.

12. Do features in this specification allow an origin some measure of control over a user agent's native UI?
    No.

13. What temporary identifiers do the features in this specification create or
    expose to the web?
    watchIDs

Features in this version that may be of interest include:

• Addition: Define units for accuracy (#162)

14. How does this specification distinguish between behavior in first-party and
    third-party contexts?
    Please see Section 2.7: Enabling the API in third-party contexts. This question is also discussed in Section 3.1. User Consent.
    The additions and corrections in this version do not affect this question.

15. How do the features in this specification work in the context of a browser’s
    Private Browsing or Incognito mode?
    Yes.
    The additions and corrections in this version do not affect this question.

16. Does this specification have both "Security Considerations" and "Privacy
    Considerations" sections?
    Yes.

17. Do features in your specification enable origins to downgrade default
    security protections?
    No.

18. What happens when a document that uses your feature is kept alive in BFCache
    (instead of getting destroyed) after navigation, and potentially gets reused
    on future navigations back to the document?
    This API is Using maximumAge as cache control.
    There is a note at the end of the request a position algorithm. It describes what happens when a position update would be sent to a document that is not fully active.

19. What happens when a document that uses your feature gets disconnected?
    This API is Using maximumAge as cache control.
    Same as the answer to Question 18.

20. Does your spec define when and how new kinds of errors should be raised?
    Please see Section 10. GeolocationPositionError interface.
    The additions and corrections in this version do not affect this question.

21. Does your feature allow sites to learn about the user's use of assistive technology?
    No.

22. What should this questionnaire have asked?

[reillyeon]

The answer to (3) should be "Yes" (user location is PII).

[reillyeon]

For (6) I think more is necessary to explain the context of what information is persisted across browsing sessions. I would expand it to:

User Agents may persist the permission state described in Section 3.4. Checking permission to use the API between browsing sessions. Refer to the "Privacy" section of the "Permissions" specification for more details.

[reillyeon]

For (7) I don't think the reference to section 2.7 is relevant. The answer can simply be "Yes, refer to question 1."

[reillyeon]

For (18) this question is answered by the note at the end of the request a position algorithm which describes what happens when a position update would be sent to a document that is not fully active.

[reillyeon]

For (19) the answer is the same as (18).

[siusin]

Thanks @reillyeon . I've merged your comments into the issue.