The HTML Geolocation Element

1. Introduction and Background

User agents expose powerful features to web sites, like geolocation or camera access. These features are important to some use cases, but can be easily abused.To handle this, user agents use permissions to ask the user whether they wish for a particular access to be allowed or not.

These permission requests began as a fairly direct passthrough: A site would ask for some capability and the user agent immediately prompts the user to make a decision for the request. Meanwhile, spam and abuse have forced user agents to take a more opinionated approach to protect users' security, privacy, and attention. The status quo is that users get a multitude of permission requests, where it’s oftentimes unclear to users what the consequences of these requests might be.

This spec introduces a new mechanism that requests and initiates access to Geolocation capabilities through in-page elements, with built-in protections against abuse. Giving access to the location through in in-page lement wants to tie capability activation to the actual context in which it will be used , thus reducing "permission spam" and at the same time providing implementations with a better signal of user intent.

The later chapters of this specification are careful to build up the required spec infrastructure to that it can be re-used on other, similarly spirited elements providing access to other powerful features and their associated capabilities.

2. The geolocation Element

The HTML geolocation element can moderate access to the "geolocation" permission and the associated Geolocation capabilities.

Categories:

Flow content.

Phrasing content.

Interactive content.

Palpable content.

Contexts in which this element can be used:

Where phrasing content is expected.

Content model:

Flow content.

Content attributes:

Global attributes.

ActivationBlockersMixin attributes.

PermissionsMixin attributes.

autolocate — Whether to locate right away (if permission has already been granted).

watch — Wether to read the position once, or watch it continously.

Accessibility considerations:

See issues below.

DOM interface:

HTMLGeolocationElement

[WAI-ARIA] specifies roles for in-page content. It is yet unclear whether or how the geolocation element fits into the existing set of roles. Given that this element triggers permission requests, one could argue that whatever accessibility concerns apply there should cover this element as well. On the other hand, more specialized treatment may lead to better support for users.

In § 3.4 Styling, and Styling Restrictions, this specification defines elaborate restrictions on how geolocation elements can be rendered. It’s unclear whether there need to be similarly spirited restrictions on which ARIA attributes can be applied.

The isValid and invalidReason, as well as the global lang and tabindex content attributes, and the onpromptaction, onpromptdismiss, and onvalidationstatuschange event handlers follow the description in § 3 Mixins and Infrastructure.

The autolocate attribute determines whether the geolocation element should start locating immediately (if permission has already been granted).

The watch attribute determine whether the geolocation element report the location once or continously.

[Exposed=Window]
interface HTMLGeolocationElement : HTMLElement {
  [HTMLConstructor] constructor();

  readonly attribute GeolocationPosition? position;
  readonly attribute GeolocationPositionError? error;
  [CEReactions, Reflect] attribute boolean autolocate;
  [CEReactions, Reflect] attribute boolean watch;

  attribute EventHandler onlocation;
};
HTMLGeolocationElement includes ActivationBlockersMixin;
HTMLGeolocationElement includes PermissionsMixin;

If the user has decided to allow access to geolocation information, the readonly attributes position and error reflect the current GeolocationPosition and GeolocationPositionError values, just like the PositionCallback and PositionErrorCallback callbacks (respectively) would have returned

If the boolean attribute autolocate is true, and if the "geolocation" permission has already been granted by the user, then the location should be retrieved immediately when the geolocation element is attached to the document. If the permission has not already been granted at insertion time, then this attribute has no effect.

If the boolean attribute watch is set to true, the onlocation event is called every time the position changes, matching the behaviour of watchPosition.

When a location is available, an Event is dispatched on the onlocation event handler. When the event is dispatched, the location, or information about a failure to retrieve the location, are available in the position or the error attributes. Depending on the watch element this happens once (if absent or false), or continously (if true).

HTMLGeolocationElement wants to mirror the Geolocation interface. There is a direct correspondance:

The global lang attribute is observed by the element to select localized text.

The default value for the global tabindex content attribute on the element is 0.

2.1. geolocation element internal state

The geolocation element uses all the internal slots from ActivationBlockersMixin and PermissionsMixin. Additionally, geolocation has the following internal slots:

• A constant [[watchIDs]], which is used with the request a position algorithm.

• [[position]], which contains the most recent GeolocationPosition.

• [[positionError]], which contains the most recent GeolocationPositionError.

2.1.1. Mixin-supporting state at the navigable

In order to support the HTMLGeolocationElement, the navigable maintains an ordered set of elements, [[PermissionElements]]. This ordered set is used to evaluate the blockers of type unsuccesful_registration.

2.2. geolocation element algorithms

2.3. geolocation element rendering

The geolocation element is a non-devolvable widget and is chiefly rendered like a button. The button label is largely expected to be determined by the browser, rather than the page, and reflects its function of given access to Geolocation functionality. The element may also convey information about the current permission state of the "geolocation" powerful feature.

The page can influence the permission elements' styling, but with constraints to prevent abuse (e.g. minimum and maximum sizes for fonts and the label itself). These are described in § 3.4 Styling, and Styling Restrictions. The page can also select a locale for the text via the lang attribute.

The permission elements support fallback content, which will be displayed by any browser not yet supporting that element. Note that there are also conditions under which a browser that supports a respective permission element falls back to its fallback content.

3. Mixins and Infrastructure

This section defines several mixins and supporting algorithms.

3.1. Activation Blockers

To support a meaningful user intent signal and to conditionally block element activation, you can use the ActivationBlockersMixin

Content attributes:

isValid — query whether the element can currently be activated.

invalidReason — return a string representation of why the element currently cannot be activated.

onvalidationstatuschange — notifies when the validation status changes.

DOM interface:

interface mixin ActivationBlockersMixin {
  readonly attribute boolean isValid;
  readonly attribute ActivationBlockersMixinBlockerReason invalidReason;
  attribute EventHandler onvalidationstatuschange;
};

The isValid attribute reflects whether the element is currently blocked.

The invalidReason attribute is an enumerated attribute that informs the caller of the reason why activation is currently blocked. If there are multiple reasons, it picks one. Its value set is ActivationBlockersMixinBlockerReason.

The following are the event handler (and their corresponding event handler event type) that must be supported on elements that include the ActivationBlockersMixin:

The ActivationBlockersMixin attributes are:

• isValid

• invalidReason

• onvalidationstatuschange

3.1.1. Internal state

ActivationBlockersMixin elements have the following internal slots:

• The [[BlockerList]] is a list of records, containing a blocker timestamp and a blocker reason. The blocker reason is a ActivationBlockersMixinBlockerReason, but not the empty string.

• [[LastNotifiedValidState]] is a boolean that stores the most recently notified state of isValid.

• [[LastNotifiedInvalidReason]] is a string that stores the most recently notified state of invalidReason. [[LastNotifiedValidState]] and [[LastNotifiedInvalidReason]] are used to determine whether an onvalidationstatuschange event needs to be dispatches.

• [[IntersectionObserver]] is a reference to an IntersectionObserver.

• [[IntersectionRect]] is a DOMRectReadOnly that stores the most recently seen intersection, i.e. the position of the element relative to the viewport.

3.1.2. Action Blockers, Blocker Reasons, and Blocker Lifetimes

The key goal of the elements in this specification is to reflect a user’s conscious choice, and we need to make sure the user cannot easily be tricked into activating it. To do so, we maintain a list of blocker reasons, which may - permanently or temporarily - prevent the element from being activated.

Conceptually, a blocker reason is just an arbitrary string identifier. We provide an enumeration of its value set. It’s expected that not all users of the ActivationBlockersMixin will support all reasons.

enum ActivationBlockersMixinBlockerReason {
  "",   // No blocker reason.
  "illegal_subframe", "unsuccesful_registration",
  "recently_attached", "intersection_changed",
  "intersection_out_of_viewport_or_clipped",
  "intersection_occluded_or_distorted", "style_invalid",
  "type_invalid",
};

These blockers come with three lifetimes: Permanent, temporary, and expiring.

Permanent blocker

Once an element has a permanent blocker, it will be disabled permanently. There are used for issues that the website owner is expected to fix. An example is an element inside a fencedframe.

Temporary blocker

This is a blocker that will only be valid until the blocking condition no no longer occurs. An example is an element that is not currently in view. All temporary blockers turn into expiring blockers once the condition no longer applies.

Expiring blocker

This is a blocker that is only valid for a fixed period of time. This is used to block abuse scenarios like "click jacking". An example is an element that has recently been moved.

3.1.3. Algorithms

NOTE: The spec maintains blockers as a list [[BlockerList]], which may potentially grow indefinitely (since some blocker types simply expire, but are not removed). This structure is chosen for the simplicity of explanation, rather than for efficiency. The details of this blocker structure are not observable except for a handful of algorithms defined here, which should open plenty of opportunities for implementations to handle this more efficiently.

3.2. Powerful Features, aka Permissions

To support elements that gate access to powerful features, you can use the PermissionsMixin.

DOM interface:

interface mixin PermissionsMixin {
  readonly attribute PermissionState initialPermissionStatus;
  readonly attribute PermissionState permissionStatus;
  attribute EventHandler onpromptaction;
  attribute EventHandler onpromptdismiss;
};

The following are the event handlers (and their corresponding event handler event types) that must be supported on elements that include the PermissionsMixin:

The PermissionsMixin attributes are:

• initialPermissionStatus

• permissionStatus

• onpromptaction

• onpromptdismiss

3.2.1. Internal state

The PermissionsMixin represents capabilities gated by user-requestable permissions, which the user can activate to allow the site to start accessing them. It is core to the these elements that such requests are triggered by the user, and not by the page’s script. To enforce this, the element checks whether the activation event is trusted. Additionally it watches a number of conditions, like whether the element is (partially) occluded, or if it has recently been moved. The element maintains an internal [[BlockerList]] to keep track of this.

PermissionsMixin elements have the following internal slots:

• [[Features]] is null or an ordered set of powerful features. For most permission elements this is likely a fixed set, while for some this may be variable. Making it an internal slot allows us to write algorithms that work for all of them.

• [[InitialPermissionStatus]] is a PermissionState that stores the initial PermissionState for [[Features]].

3.2.2. Algorithms

3.2.3. Presentation

There isn’t much precedence for describing the user agent UI in detail. It may be better to leave more freedom to user agents.

An element using the PermissionsMixin contains browser-chosen content, text and maybe an icon. Activating them will often prompt the user to choose. This provides two bits of user interface that a user can interact with. The user agent is largely free to determine these — rendering of the element and the subsequent permission prompt — in whichever way it thinks best convey’s the element’s intent.

UI options for the elements' presentation include:

• Name the powerful features listed in [[Features]], in the language indicated by the language of the element. Note that this would always be the language indicated by the lang attribute, if present.

• An icon indicating the powerful feature type or types.

• The current permission state of the powerful feature in questions. For example, if the permission is already granted, the element might be labeled as "geolocation already in use".

• A modal prompt with a "scrim". (I.e., darkening out the page behind the prompt.) This would normally quite disruptive. But here our goal is to ensure a user means to make this choice.

User agents are encouraged to name or describe the powerful features in a way that’s consistent with similar usage in program or the platform it is running on.

Very non-normative examples might be:

• <geolocation lang=de>: "Standort verwenden".

• <geolocation watch=true> (in an English language page): "⌖ Track location.".

• Upon activiating <geolocation>, when the corresponding permission state is denied, modify the text to "Continue blocking".

3.3. Falling Back

A user agent that does not support a particular element would recognize them as HTMLUnknownElement and render their children as regular HTML. User agents that support such an element should usually render the element as described in § 3.4 Styling, and Styling Restrictions, but are still required to render the fallback content under one condition:

If the internal [[BlockerList]] contains a record whose blocker reason is type_invalid, then the element should render the fallback content instead of its usual rendering.

3.4. Styling, and Styling Restrictions

Permission elements constrain the styling that can be applied to them. These constraints come in three flavours:

1. If the condition isn’t met, the element is deactivated.

2. A user-agent defined stylesheet enforces certain styling.

3. The user-agent enforces bounds on additional styles, where the bounds cannot be easily expressed in CSS. For example, if the style bounds are expressed relative to the computed style of the element.

3.4.1. Conditions that Deactivate the Element

If one of these conditions is not met, then a temporary blocker is added with type style_invalid.

Define "alpha".

3.4.2. User-Agent Defined Stylesheet

A permission element is expected to render with the following styles:

@namespace "http://www.w3.org/1999/xhtml";
geolocation {
  opacity: 1.0;
  line-height: normal !important;
  whitespace: nowrap !important;
  user-select: none !important;
  appearance: auto !important;
  box-sizing: content-box !important;
  vertical-align: middle !important;
  text-emphasis: initial !important;
  text-shadow: initial !important;
}

3.4.3. Additional User-Agent Defined Style Bounds

For notational convenience, we imagine that the computed value of an element could be accessed in CSS rules with computed, just like the inherited value of an element can via the inherit keyword. Then the following sheet expresses the style bounds:

@namespace "http://www.w3.org/1999/xhtml";
geolocation {
  outline-offset: clamp(0, computed, none); /* No negative outline-offsets. */
  font-weight: clamp(200, computed, none);  /* No font-weights below 200. */
  word-spacing: clamp(0, computed, 0.5em);  /* Word-spacing between 0..0.5em */
  letter-spacing: clamp(-0.05em, commputed, 0.2em);  /* Letter spacing between -0.05..0.2em */

  min-height: clamp(1em, computed, none);
  max-height: clamp(none, computed, 3em);
  min-width: clamp(none, computed, calc(fit-content));

  border-width: clamp(none, computed, 1em);

  font-style: if(computed = "normal" or computed = "italic", computed, "normal");
  display: if (computed = "inline-block" or computed = "none", computed, "inline-block");
  cursor: if (computed = "pointer" or computed = "not-allowed", computed, "pointer")
}

Additionally, some rules apply based on conditions not easily expressible as CSS.

If height is auto, then apply:

@namespace "http://www.w3.org/1999/xhtml";
geolocation {
  padding-top: clamp(1em, computed, none);
  padding-bottom: calc(padding-top);
}

If width is auto, then apply:

@namespace "http://www.w3.org/1999/xhtml";
geolocation {
  padding-left: clamp(none, computed, 5em);
  padding-right: calc(padding-left);
}

Apply the following sheet, if the element does not have all of the following:

• A border width of at least 1px,

• a color to background-color contrast ratio of at least 3,

• and alpha of 1.

@namespace "http://www.w3.org/1999/xhtml";
geolocation {
  max-width: clamp(none, computed, calc(3 * fit-content));
}

The following CSS properties can be used normally:

• font-kerning

• font-optical-sizing

• font-stretch

• font-synthesis-weight

• font-synthesis-style

• font-synthesis-small-caps

• font-feature-settings

• forced-color-adjust

• text-rendering

• align-self

• anchor-name

• aspect-ratio

• border and all border shorthand properties, border-top, border-right, border-bottom, border-left

• clear

• color-scheme

• contain-intrinsic-width

• contain-intrinsic-height

• container-name

• container-type

• counter-reset, counter-increment, counter-set

• flex and its longhands, flex-grow, flex-shrink, flex-basis

• float

• height

• isolation

• justify-self

• left

• order

• orphans

• outline and mostly its longhands, outline-color and outline-style.
  Note that outline-offset is clamped by the rules above.

• overflow-anchor

• overscroll-behavior and its longhands, overscroll-behavior-inline, overscroll-behavior-block, overscroll-behavior-x, overscroll-behavior-y

• page

• position

• position-anchor

• right

• scroll-margin and its longhands, scroll-margin-top, scroll-margin-right, scroll-marginbottom', scroll-margin-left

• scroll-padding and its longhands, scroll-padding-top, scroll-padding-right, scroll-padding-bottom, scroll-padding-left, scroll-padding-inline-start, scroll-padding-block-start, scroll-padding-block-start, scroll-padding-inline-end, scroll-padding-block-end

• text-spacing-trim

• text-transform

• top

• visibility

• x

• y

• ruby-position

• user-select

• width

• will-change

• z-index

Properties that are not listed above, or in the rules in this section, and aren’t logically equivalent to one of the properties mentioned here, will be ignored.

4. Security & Privacy Considerations

Note: Security & Privacy Considerations can be found here & there, in the Explainer. This section will eventually contain a specification-worthy transcription of those Explainer sections.