Geolocation API removed from unsecured origins in Chrome 50

Chrome has public intent to deprecate powerful features like geolocation on non-secure origins, and we hope that others will follow.

Starting with Chrome version 50, Chrome no longer supports the HTML5 Geolocation API over non-secure connections to obtain the user’s location. This means that the page that’s making the Geolocation API call must be served over a secure context such as HTTPS and localhost.

When is this changing?

This change is effective as of Chrome version 50 (12PM PST April 20 2016). Chrome has been providing warnings since version 44 (released July 21 2015).
There have been other public announcements, so hopefully this isn’t the first time you’ve seen this:

• Intent to deprecate set of powerful features over HTTP (Feb 2015)
• Intent to deprecate Geolocation API over HTTP (Nov 2015)
• Chrome Dev Summit (Nov 2015)
• Mobiforge (Jan 26, 2016)
• Chrome Beta Channel ** release blog (March 17, 2016)**
• Wired (March 17, 2016)
• VentureBeat (April 13, 2016)
• Chrome Status website
• et al

Why are we making this change?

Location is sensitive data! Requiring HTTPS is the only way to protect the privacy of your users’ location data. If the user’s location is sent over an non-secure connection, anyone on the network will be able to know where that user is. This seriously compromises user privacy.

Who does this affect?

This affects any page currently using the Geolocation API from pages served over HTTP (non-secure). It also affects HTTPS iframes that use the Geolocation API if they are embedded in HTTP pages (you won’t be able to polyfil using a shared HTTPS based service).

Does my whole web app need HTTPS?

It is not a requirement that the whole app be served via HTTPS to use Geolocation. Only pages that use Geolocation need to be served via HTTPS. However, we strongly suggest that you migrate to HTTPS.

I need to use Geolocation. What should I do?

If you would like to use the HTML5 Geolocation API, or if your site already uses the Geolocation API, please migrate the page making the Geolocation API JavaScript function call to HTTPS, ensuring that it’s used in a secure context.

There are other fallback options available to get a user’s location that are not affected by this change, such as Google Maps Geolocation API, GeoIP (as an example, there are other geo based solutions), and user-entered zip code. However, we strongly recommend that the best path to ensure ongoing access to geolocation is to move to HTTPS.