Mapping

Increased web API security in Google Chrome

Starting with Google Chrome version 50, some of the HTML5 web APIs will require websites to be using a secure origin like HTTPS to work correctly. The APIs that will be affected are: GeolocationFullscreenDevice motion and Device orientation.

What does it mean?

Simply put, unless sites are running on the HTTPS protocol, they won’t work as expected.

Who’s affected by this change?

Many developers are using these APIs in apps alongside or with the ArcGIS API for Javascript. These APIs also provide key functionality for users in configurable or custom apps, Web AppBuilder for ArcGIS, and the map viewer used in ArcGIS Online and Portal for ArcGIS.

For instance, the Locate widget uses the Geolocation API to prompt the user for permission to find their position. If the user allows, it will navigate the map to their current location. This widget is used in the map viewer, Web AppBuilder, configurable apps and custom user apps.

Once Chrome has been automatically updated to version 50, the Locate widget will need to run on a website using HTTPS in order to successfully get the user’s current position. When the Locate widget is used on the HTTP protocol, a user will still be able to click the button, but nothing will happen and a warning will be logged in their browser’s console.

Why is this changing?

Chrome is making these changes to protect a user’s private information from a network attacker.

Functionality such as prompting for a user’s location, wasn’t originally required to be using a secure origin. However, it probably should have been to prevent unauthorized access to personally-identifiable information. It seems likely that other browsers will follow suit and may start requiring secure origins for some of these APIs to work as well. It’s better to be prepared for that, and more security is good too!

Although, it’s great to be more secure, it’s going to require changes to web hosts in order to keep the functionality working.

What you can do?

In order to keep everything working as expected, make sure that your apps are using a secure origin. See the following resources for setting up your organization, portal, or server with HTTPS.

What Esri is doing

In the next releases of our JavaScript API (3.17 & 4.0), we’ll be checking the browser to see if it is running on an insecure origin. If it is, we will disable the functionality that requires a secure origin. We’ll do this where necessary in our widgets and apps.

About the author

As a Software Engineer on the ArcGIS JavaScript API Team, I focus on building mapping widgets that provide a great user experience, are well designed and accessible to all users. Feel free to contact me at mdriscoll@esri.com with questions related to the JavaScript API, Widgets, TypeScript, and development tools. https://js.arcgis.com/

Connect:

Next Article

Podcast 3- Hussein Nasser, Esri; When curiosity comes, give it a chance.

Read this article