-2

I am a bit confused of how does the "sharing your location" feature works in browsers. Assume I am using Chrome, I have the following questions:

  1. When a website prompt the pop-up request "this website want to know your location", when I click "allow", what will the browser do?

  2. If I click "do not allow", can the website still obtain my IP address and use it to locate me? My assumptions are if a web server is virtual hosted on a cloud server, my IP address will be intercepted at the front end and may or may not be forwarded to the origin server.

  3. If the IP can nontheless be known by the origin server and use it to locate me, I wonder how much practical value does the "sharing your location" option have (well I understand in many case IP may not be accurate, but in many other case it is)?

  4. In the case that my IP is not accurate and can't be used to locate me, how would "allowing the website to access my location" make the website know my location?

Revision: So I knew the basic drills such as GPS data will help on more accurate location, and how IP can be obfuscated either intentionally or unintentionally. I think my question boils down to, what extra information does Google have, such that enabling and disabling "share my location" can really make a difference: assuming I use a brand new desktop, is it true that if my IP is inaccurate, then Google can't know where I am either, if my IP is accurate, the website gonna know no matter I choose to share my location or not?

SamTest
  • 675
  • 5
  • 10
  • I think there is enough info from your discussion with schroeder to help with some of your misunderstandings, but I figure it wouldn't hurt to spell it out. First, a web application *always* knows your IP address. If it didn't then you wouldn't be able to communicate with it. Your assumption in #2 is incorrect, and is based on a bit of a misunderstanding of how networks and web applications work. – Conor Mancone Feb 28 '20 at 18:01
  • As schroeder says, IP addresses don't give very good geolocation information. Sometimes it can't even get you to the right city. Sometimes it may be more accurate, but rarely, especially for home users. The "Sharing your location" option from browsers is intended to give more accurate information than the IP address. There are a variety of ways it might do this which depend on what kind of device you are using (phone, desktop, laptop, etc...) – Conor Mancone Feb 28 '20 at 18:02
  • @conorMancone: for my assumption #2, say that you have Apache behind Nginx reverse proxy, the reverse proxy is going to intercept requests from wherever, and sent it to localhost, and use port number to differentiate different vHosts, and Apache as origin server will only see 127.0.0.1, unless the reverse proxy choose to attache a X-Forwarded-For to forward the origin IP where the request is from. – SamTest Feb 28 '20 at 21:13
  • @conormancone, I know about that Google do war driving and collect Wifi ssid. So other than that, and some browsing history that may facilitate Google's machine learning, Google has nothing more information than a regular website? Then I just wonder how much practicality disabling "share my location" provides? – SamTest Feb 28 '20 at 21:15
  • But all of that infrastructure is under the control of the person who runs the app. If they want to collect your IP address they can and will, regardless of how their infrastructure is setup. Also, you're focused on google but remember that this is a cross-browser feature. It's possible that chrome uses additional methods to suggest your location, but firefox/safari don't have access to these things and they may not be the most accurate anyway. Again, the link schroeder gave you states exactly what the main data source is. – Conor Mancone Feb 28 '20 at 21:20
  • @conormancone, thank you, but, it still does not directly solves my confusion. From the link, I click "try it yourself" from my desktop, and it pinpoints me to accurate latitude and longitude, how does the browser know so exactly where I am? – SamTest Feb 28 '20 at 21:25
  • It's a couple miles off for me. Again, read the big bolded note: "Note: Geolocation is most accurate for devices with GPS, like smartphone." – Conor Mancone Feb 28 '20 at 21:31

2 Answers2

2

You assume that IP provides accurate location. It doesn't. IPs might narrow down the city, unless you are using a VPN or tunneling to a remote corporate network, for instance.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • In most cases, for an ordinary user, the IP address is pretty accurate, unless, as you said, I use some way to obfuscate the IP. So essentially my question was, does disabling "share my location" option from any browser prevent a website obtaining my IP address? If not, I can't see much value of have such an option at all. – SamTest Feb 28 '20 at 17:04
  • 2
    "in most cases, it's pretty accurate" - that's not true at all. It might be true in your area, but in many areas, the IP the home user gets is attributed to a neighboring towm, and in some cases, is attributed to the ISP's head office location. – schroeder Feb 28 '20 at 17:12
  • So, you are saying that your real question is, "does disabling "share my location" option from any browser prevent a website obtaining my IP address" ????? Um, what? How would you be connecting to the website if it can't know your IP? – schroeder Feb 28 '20 at 17:14
  • Well, my intuitive assumption is that because TCP/IP is in lower layer, the origin server runs on the application layer may not necessarily obtain the IP, especially if it is hosted in the cloud. – SamTest Feb 28 '20 at 17:26
  • So if the IP is not accurate as you said, what exactly does "sharing my location" do? How would enabling this option let the website know where exactly I am then? – SamTest Feb 28 '20 at 17:27
  • Stacks offer some abstraction, but not that much abstraction... and how location services in the browswer works is easy to look up: https://www.w3schools.com/html/html5_geolocation.asp – schroeder Feb 28 '20 at 17:28
  • Thanks, but I want to know from theoretical level, not coding level, *how* my location is determined. What extra information, other than my IP, does Google know but the website does not know, that makes Google know where I am but the website does not know? – SamTest Feb 28 '20 at 17:32
  • @SamTest The big note at the top of schroeder's link pretty much answers that question for you: "Note: Geolocation is most accurate for devices with GPS, like smartphone." – Conor Mancone Feb 28 '20 at 17:59
  • google also uses a DB of wifi SSIDs as part of it's nebulous "location service" – dandavis Feb 28 '20 at 19:04
  • See https://security.stackexchange.com/questions/220244/how-far-is-my-access-point-bssid-sent-in-my-internet-packets/220250#220250 for an interesting discussion on how location information gets mapped to IP addresses. – mti2935 Feb 28 '20 at 21:39
2

How the "Share Your Location" button works depends on your browser. In Google Chrome, for example, this sends information from Google Location Services giving your best estimated position. Your position can be determined in many ways, including:

  1. Your GPS location

  2. Your IP address geolocation

  3. Nearby wifi access points (Google scrapes access point data with their Google Maps cars)

  4. Your search history

  5. You explicitly telling Google where your home is, your workplace, etc.

If you deny websites access to your location, they do still get your IP address, as the other answer addresses.

David
  • 1,386
  • 8
  • 8
  • #3 - definitely one of the creepier ways they determine location, even though it may (occasionally) be useful. That one has occasionally made me consider trying to deploy a network of raspberry pi wifi access points that exchange SSID/MAC addresses regularly to try to confuse the google algorithms... or maybe just deploy them on an army of drones... that probably won't cause more problems than it solves... – Conor Mancone Feb 28 '20 at 19:32