Add support for approximate geolocation

[alvinjiooo]

Closes #182

This commit introduces the ability for users and developers to request a less precise, privacy-preserving "approximate" location.

Key changes include:

• A new accuracyMode option in PositionOptions to request either "precise" or "approximate" location.
• A new "Geolocation permissions" section, which include new "geolocation-approximate" powerful feature and custom precise permission query or request algorithm.
• Updated "Request a position" and "Acquire a position" algorithms to handle the new accuracy levels and new emulation change (feat: add accuracyMode to emulation.setGeolocationOverride webdriver-bidi#1105).
• The GeolocationCoordinates interface now includes an accuracyMode attribute to reflect the accuracy of the returned position.
• Expanded the introduction with a non-normative description of what an "approximate location" is.
• Added a normative privacy requirement for user agents to mitigate precise location reconstruction by caching approximate locations for a period of time.
• Updated

The following tasks have been completed:

• Modified Web platform tests (link to pull request)

Implementation commitment (and no objections):

• WebKit
• Chromium (https://bugs.chromium.org/p/chromium/issues/detail?id=)
• Gecko (https://bugzilla.mozilla.org/show_bug.cgi?id=)

Documentation (new feature):

• Updated implementation report
• Pinged MDN
• Added example to README or spec

For documentation, either create an issue or pull request in MDN's Content repo - providing as much information as you can. PR is prefered.

Approximate Geolocation explainer

---

Preview | Diff

[reillyeon]

For readability as you iterate on this proposal it's okay for this PR to directly change the specification text however to land this change the changes need to be enclosed in the correct candidate additions/corrections/deletions syntax.

[marcoscaceres]

@reillyeon if it's ok, let's move this to CR first (i.e., let's not waste time with the ins/dels). We are close to publishing as CR again.

[Copilot]

Pull Request Overview

This PR adds support for approximate location positioning to the Geolocation API specification. It introduces a privacy-preserving alternative to precise location sharing, allowing applications to request coarse-grained location data when high accuracy is not needed.

Key changes:

• Introduces accuracyMode option with "precise" (default) and "approximate" values
• Adds new "geolocation-approximate" permission alongside existing "geolocation" permission
• Implements separate caching for precise and approximate positions
• Updates permission request flows to allow users to choose between precise and approximate location sharing

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[antosart]

A few comments wrt the permission handling.

[marcoscaceres]

Please remove all the "Candidate addition" stuff. We don't need any of that additional markup anymore (but leave the rest of normative text there 😄 ) .

[nondebug]

lgtm

[alvinjiooo]

Please remove all the "Candidate addition" stuff. We don't need any of that additional markup anymore (but leave the rest of normative text there 😄 ) .

Should we split out the "Candidate addition" removal stuff in a separate CL? It would make this one a little easier to parse :)

It sounds like #181 will be landed soon once the status change happened. I will rebased this PR again once that one is landed.

[alvinjiooo]

Hi @marcoscaceres and @antosart ,
I rebased the PR and now we finally get rid of ins and del tag.
PTAL and share your comments.
Thanks!

[antosart]

looks good to me now, thanks for all the iterations on this!

[alvinjiooo]

Hi @marcoscaceres ,
May I have your help to review this PR?
Thanks!
Alvin

[alvinjiooo]

Hi @reillyeon,
Will you have a chance to review this PR before it lands?
Thanks!

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (1)

index.html:951

• This uses [=list/remove=] (lowercase list), but elsewhere the spec uses [=List/remove=] for the Infra list operation. The lowercase form likely won’t resolve to the intended definition; please align the casing with the rest of the document.

              If |resolvedPermissionState| is "denied", then:
                <ol>
                  <li>If |watchId| was passed, [=list/remove=] |watchId| from
                  |watchIDs|.
                  </li>

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[marcoscaceres]

Looking good @alvinjiooo ... there seems to be some unrelated editorial changes.

Maybe see about splitting those out (get Genini maybe to do them quickly?). Will make this easier to review.

[marcoscaceres]

This needs to be in the algorithm (if it's not already).

[alvinjiooo]

I did consider formalizing this caching logic within the algorithm. However, opinions on the practical risk of precise location reconstruction still vary, and there isn't a single standardized approach yet. Coupled with the existing visibility requirements, a caching window (like 15 minutes) already makes reconstruction extremely difficult in practice. Keeping this in the Privacy Considerations section provides strong guidance while leaving implementers flexibility as mitigation strategies evolve. I’m inclined to leave it as a 'SHOULD' recommendation rather than a hard algorithmic requirement for now, but I'd be interested to hear your thoughts on this framing.

[marcoscaceres]

This change seems unrelated or maybe the white space got screwed up?

[alvinjiooo]

This one is not changed by the PR, the original place is at here. It got moved further down because the introduced change for approximate geolocation.

[marcoscaceres]

Does this belong in this PR? Can it be a separate PR?

[alvinjiooo]

This part is not changed too, the original place is at here.

[marcoscaceres]

Really nice work getting this to a reviewable state, @alvinjiooo.

I want to raise a privacy concern about two pieces: GeolocationPermissionStatus and coords.accuracyMode.

The design lets sites request approximate via PositionOptions.accuracyMode, which is great for data minimization. But I think we should stop there and not tell the site what the user actually chose.

GeolocationPermissionStatus: This exposes the user's privacy preference via navigator.permissions.query() without any position request. There's no precedent for permission result types exposing user preference metadata (camera doesn't reveal which device was selected, notifications doesn't reveal quiet mode). This is closely related to the long-standing concern in w3c/permissions#52 — expanding the queryable surface to include how a user configured their privacy preference compounds the risk. I'd propose removing this entirely, and making "geolocation-approximate" not a JS-queryable permission name. Only "geolocation" should be valid for permissions.query(). This keeps the API backwards-compatible: sites cannot use permissions.query() to pre-detect whether approximate location is available or what the user chose, preserving the same opacity as a UA that doesn't support the feature.

coords.accuracyMode: Today, coords.accuracy of 5000m is ambiguous: it could be the user's privacy choice, bad GPS lock, or WiFi-only positioning. That ambiguity prevents reliable upgrade-nagging. A definitive "approximate" flag removes that ambiguity and enables "tap here for better location" dark patterns. I'd propose removing this attribute.

Permissions Policy gating: I think "geolocation-approximate" still has value as a policy-controlled feature for iframe restriction. But the allowed to use check in the algorithm (currently only checking "geolocation") needs updating: if accuracyMode is "approximate", check allowed to use "geolocation-approximate"; if "precise", check allowed to use "geolocation". And allowing "geolocation" should implicitly allow "geolocation-approximate" (superset), but not vice versa.

Summary:

• Keep PositionOptions.accuracyMode (site requests what it needs)
• Keep "geolocation-approximate" for Permissions Policy (iframe control)
• Remove GeolocationPermissionStatus (no custom permission result type)
• Remove coords.accuracyMode (site doesn't learn what user chose)
• Only "geolocation" is queryable via Permissions API
• Add proper allowed to use checks per accuracy mode

I'd like to invite @martinthomson, @saschanaz, and @npdoty to weigh in on the privacy model here. Once we converge on the right shape, I think this warrants a formal PING review given the sensitivity of location privacy.

[marcoscaceres]

See #195 (comment) ... as I think the permission model needs a significant overhaul... and could be simultaneously significantly simplified.

[marcoscaceres]

Suggested change

	Similarly, you can request a cached approximate position.
	Similarly, you can request a cached approximate position:

[marcoscaceres]

Suggested change

	{ maximumAge: 600_000 } // `accuracyMode` defaults to "precise"
	{
	maximumAge: 600_000,
	// `accuracyMode` defaults to "precise"
	}

[marcoscaceres]

Just a nit... but it feels like we could cover both cases with just one example.

[marcoscaceres]

Suggested change

	user's [=precise position=], thus offering a more privacy-friendly
	user's [=precise position=], thus offering a more privacy-preserving

[marcoscaceres]

The user agent can't know if the position will meet the sites needs. It can only return an approximate position. If it's good enough, that's up to the site to determine.

Suggested change

	the user agent can provide a less precise location that still meets the
	application's needs while obscuring the user's [=precise position=].
	a supporting user agent MUST provide a less precise location,
	obscuring the user's [=precise position=].

[marcoscaceres]

Suggested change

	There is a strict dependency between the [=permission state=]s of
	There is a strict dependency between the [=permission states=] of

[marcoscaceres]

Nit: I wonder if this should be a table?

[marcoscaceres]

Right, but this needs to be an algorithm. We can wire up the Permission side later, but this still needs to be algorithmically defined.

Basically, the algorithm receives the new state, and then it dos all the things defined here.

[marcoscaceres]

Also, this can be very racy, so some kind of coordinator will still be needed where this is queued.

[marcoscaceres]

Do we really need to leak the user's choice? This seems like it shouldn't be needed. The site should just get back a portion, but it shouldn't know what the user selected or when it's changed, right?

[antosart]

Wrt leaking the granted accuracy (either in GeolocationPermissionStatus or in coords.accuracyMode) our main thought was that in practice there is no real way to hide this (on Android, for example, a coarsened position has a fixed accuracy - I believe it's 2000m - and the possible values for the x and y coords are on a grid, so that it seems clear that the position is artificially coarsened and not the result of bad GPS signal).

As for the geolocation-approximate permission policy, I agree there is value in having it. However, it's not totally trivial how to make it work correctly because of the interdependencies between geolocation and geolocation-approximate, which are not currently supported by the Permission Policy specification (see explainers-by-googlers/approximate-geolocation#19 and explainers-by-googlers/approximate-geolocation#20 for more details).

[marcoscaceres]

I get that Android's current LocationFudger implementation snaps to a grid, which makes approximate positions detectable in practice. But I think the right response is to encourage UAs to add entropy (jitter, noise, variable quantization) to make approximate less detectable, rather than formalizing the leak with coords.accuracyMode. The browser doesn't have to pass the OS's accuracy value or grid pattern through to JS unchanged. Chrome on Android could add noise to the grid-snapped position before delivering it to content, making grid detection unreliable.

The spec should push implementations toward privacy (guidance on resisting detectability), not codify worst-case current behavior as the API surface.

On the "sites need to know" argument: I think there are two legitimate needs here, and neither requires coords.accuracyMode:

1. Pre-permission capability detection ("does this browser support approximate?"): A CSS media feature would let sites adapt their UI before ever calling the API, e.g., showing "we only need your city-level location" messaging. This is pure capability detection, no user preference leak.

2. Post-permission UX adaptation ("is this position good enough for walking directions?"): coords.accuracy already answers this. If accuracy is 3000m, you show city-level features regardless of whether that's approximate mode, bad GPS, or WiFi-only positioning. The site should be checking the number anyway. And even with accuracyMode: "approximate", the UA could return a position with 50m accuracy (the request is a hint, not a guarantee), so the site can't rely on the label for UX decisions.

So the model would be: CSS media feature for capability → PositionOptions.accuracyMode for request → coords.accuracy for adaptation. No flag that reveals the user's privacy choice.

On Permissions Policy: agreed it's non-trivial. I've looked at issues explainers-by-googlers/approximate-geolocation#19 and explainers-by-googlers/approximate-geolocation#20 in the explainer repo. The inheritance problem needs upstream Permissions Policy spec work, but that seems like the right path rather than working around it.