ichnaea
webappsec-permissions-policy
ichnaea | webappsec-permissions-policy | |
---|---|---|
29 | 5 | |
551 | 391 | |
0.7% | -0.3% | |
3.7 | 6.9 | |
23 days ago | 26 days ago | |
Python | Bikeshed | |
Apache License 2.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ichnaea
-
Mozilla will be retiring the Mozilla Location Service
The rather troubling part of this announcement in a GitHub issue is that this nugget comes out in a seemingly innocuous comment[1]:
>> Firefox still uses MLS for `browser.region.network.url`; will that also move to Google Location Services?
> This endpoint will be migrated to another service (classify-client) that will return the expected response. We'll adjust DNS entries when it's time to make that move so firefox won't see any difference.
What exactly is this "classify-client" service?
Note also this led me to discover for the first time that this is a thing[2]:
> Geolocation for default search engine
> In order to set the right default search engine for your location, Firefox will perform a geolocation lookup once by contacting Mozilla's servers and store the country-level result locally. This connection happens on the first start of Firefox – in case you want to prohibit that, you will have to preconfigure the browser and set the browser.search.geoip.url preference to a blank string.
Also related is [3].
[1]: https://github.com/mozilla/ichnaea/issues/2065#issuecomment-...
[2]: https://support.mozilla.org/en-US/kb/how-stop-firefox-making...
[3]: https://old.reddit.com/r/firefox/comments/iq27wa/disabling_l...
- Retiring the Mozilla Location Service
- How, what, who, and, why?
-
WiGLE: Wireless Network Mapping
I don't know what WiGLE users do with the data, but the WiGLE admins sold Wi-Fi location data to Microsoft to bootstrap Bing Maps back in the day.
I helped bootstrap Mozilla's Location Service (MLS) to support geolocation on Firefox OS without Google Location Services. Mozilla even had its own Wi-Fi "wardriving/stumbling" app (MozStumbler https://github.com/mozilla/MozStumbler) and an opt-in stumbler in Firefox Android. But once Firefox OS was retired, there wasn't much need for MLS. However, Mozilla still runs a Wi-Fi geolocation service open to other projects (like GNOME's Geoclue service).
Mozilla also publishes cell tower location data and shares with the OpenCellID stumbling project. I worked with Mozilla's privacy and security teams to see if we could publish the Wi-Fi location data, but we didn't find a privacy-preserving way to do that.
For more information about MLS, check out https://location.services.mozilla.com/
-
Mozilla, Google, and Manifest V3
Google mainly makes a search engine deal and pays Mozilla to use Google Location services rather than Mozilla's. Google doesn't control the development of Firefox, or its browser engine Gecko (at least directly, they do maniplulate the market so other browsers are forced to implement their stuff, Manifest v3 itself being an example).
-
What methods are used to locate a phone?
The same is possible with bluetooth. Source: Mozilla Location Services
-
MLS for CellMapper Users, Primer
Tower Collector, as an app, collects for both https://opencellid.org/ and https://location.services.mozilla.com/ . https://en.wikipedia.org/wiki/Mozilla\_Location\_Service
- Happy Windows 11 Laptop Users in 2023
-
Cell tower ID (CID) and location area code LAC to coordinates?
I had used Google's Geolocation API and Mozilla Location Service in the past.
webappsec-permissions-policy
-
Smart Move, Google
Thanks for the docs. The examples (2 & 3, https://github.com/w3c/webappsec-permissions-policy/blob/mai...) seem to me to say that search.google.com can’t grant location permissions to an iframe if the parent was forbidden them, but I didn't find an explicit example for what happens if the iframe domain already got permission previously.
As you say the UI for requesting in this case would be weird, and this seems like a big security hole to me, but I can’t see a bit of the spec that explicitly forbids (though I only scanned the doc.)
-
Amazon is blocking Google’s FLoC
there is apparently no way to define a default disable either, so to turn off all the random features, the header becomes huge.
https://github.com/w3c/webappsec-permissions-policy/issues/1...
What is happening in w3c?!
-
Optimise your site - Addressing recommendations from securityheaders.com
This took a fair bit of investigation. I'm not convinced that it's the most well-documented header, in terms of the properties that you can set. Effectively, this is a list of values that determine which permissions are allowed for this website. Given I don't need access to location, camera, microphone or accelerometer. I did have issues finding consistent documentation on this one, so ended up having to combine the Feature-Policy documentation from MDN as well as the permissions policy examples from w3c.
-
User-Agent Client-Hints, take 2
Since Chrome v84 the Chrome team has had a few set backs which has resulted in some changes. In addition, the feature policy header, for delegating the client hints to third parties, has changed name to Permissions-Policy.
What are some alternatives?
UnifiedNlp - Alternative network location provider for Android, with plugin interface to easily integrate third-party location providers.
OsmAnd - OsmAnd
location-guard - Hide your geographic location from websites.
webappsec-feature-policy - A mechanism to selectively enable and disable browser features and APIs [Moved to: https://github.com/w3c/webappsec-permissions-policy]
Nominatim - Open Source search based on OpenStreetMap data
ua-client-hints - Wouldn't it be nice if `User-Agent` was a (set of) client hints?
WiFi-Automatic - Automatically turn off WiFi if you don't need it
MozStumbler - Android Stumbler for Mozilla
GmsCore - Free implementation of Play Services
AnsiMail - Fullstack, security focused, personal mail server based on OpenSMTPD for OpenBSD
Openstreetmap - The Rails application that powers OpenStreetMap