[Webkit-unassigned] [Bug 275950] New: Geolocation Permissions API on iOS reports state of "Other Websites" instead of current domain if both set

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jun 27 04:57:54 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=275950

            Bug ID: 275950
           Summary: Geolocation Permissions API on iOS reports state of
                    "Other Websites" instead of current domain if both set
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: iOS 18
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: smoser at google.com

Using https://permission.site/permission-status, I tested the behavior of the permission API on iOS in regards to how the setting of "Other Websites" is respected. I took these steps:

1. Enable Location Services in iOS settings
2. Enable Location Services for Safari in settings
3. Safari Settings -> Location -> Edit -> Clear all domain specific settings
4. Safari Settings -> Location -> Other Websites -> Set to "Allow"
5. Visit https://permission.site/permission-status in Safari
6. Observe that permission status is reported as GRANTED
7. Click on Geolocation reports SUCCESS without visible prompt
8. Website Settings -> Location -> Set to "Deny"
9. Observe that the permission status is reported as GRANTED
10. Reload the page
11. Observe that the permission status is reported as GRANTED
12. Click on Geolocation reports "User denied geolocation" without visible prompt

Expected behavior

In step 9 and 11, `navigator.permissions.query({ name: 'geolocation' })` reports the site-specific permission status, i.e. "Permission Status" reports `DENIED`

Observed behavior:

Despite there being an origin-specific setting, in step 9 and 11, `navigator.permissions.query({ name: 'geolocation' })`, i.e. "Permission Status" reports `GRANTED`. This is in conflict with the behavior of the geolocation API failing in step 12.


We want to provide a consistent end-to-end experience between content-area UI and browser-side UX. To do that, we need to understand how the browser UX will behave if (for example) we call the browser’s geolocation API -- will a permission prompt be shown? Or is the permission already granted or denied?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240627/840416d6/attachment-0001.htm>

More information about the webkit-unassigned mailing list