[Feature Request] Setting to preserve browser location sharing prompt #3
Description
User asked:
Is it intended that it directly feeds the “spoofed” location to every site that gets visited? There is no prompt anymore asking for permission to access the location and it grants it directly.
Context
Currently when spoofing is enabled, GeoSpoof intercepts getCurrentPosition and watchPosition and returns spoofed coordinates directly, bypassing the browser's native permission prompt entirely. The permissions.query override also returns "granted" unconditionally for geolocation.
This means every site that calls the geolocation API silently receives coordinates without the user ever being asked. While the data is fake, this behavior change itself adds fingerprinting entropy -- most Firefox users either deny or never see a geolocation prompt, so always having a location available (instantly, with no prompt delay) is a distinguishing signal. The specific coordinate pair also becomes a potential cross-site tracking value if it stays the same across sites.
What needs investigation
We need to decide whether and how to give users control over this behavior. Several approaches:
Option A: Add a "Preserve permission prompts" toggle (default off)
When enabled, call the real originalGetCurrentPosition to trigger the native browser prompt. If the user grants permission, swap the real coords with spoofed ones in the success callback. If denied, pass through the denial normally. Also stop overriding permissions.query to return "granted" when this mode is on.
Pros:
- Users get per-site control over which sites receive any location at all
- Reduces fingerprinting entropy -- denied sites see the same behavior as a normal Firefox user
- Preserves the current convenient default for VPN companion use case
Cons:
- Adds a settings toggle and UI complexity
- Calling the real API means the browser briefly knows the user's real location (even though it's not sent to the site). Could matter for users who distrust the browser itself
- The real API call may be slower (GPS lookup, prompt wait) compared to the instant spoofed response
- Sites that check
permissions.querybefore callinggetCurrentPositionwould see "prompt" instead of "granted", which could change site behavior (some sites won't even ask if status is "prompt")
Option B: Always preserve the prompt (change default behavior)
Same as Option A but always on, no toggle.
Pros:
- Simpler -- no new setting to manage
- More privacy-respecting by default
- Closer to how a normal browser behaves
Cons:
- Breaks the primary use case for many users -- VPN companion users want seamless spoofing without clicking "Allow" on every site
- Would be a breaking change for existing users who expect the current behavior
Option C: Per-site allowlist/blocklist
Let users configure which sites get auto-granted spoofed location and which ones get the native prompt.
Pros:
- Maximum control
- Could auto-grant for known location-dependent sites (maps, weather) and prompt for everything else
Cons:
- Significant UI/UX complexity
- Needs a management interface for the list
- Overkill for most users
Option D: Do nothing, document the tradeoff
Keep current behavior, add a note in docs/README explaining that auto-granting increases entropy.
Pros:
- No added complexity
- Current behavior is what most VPN companion users want
Cons:
- Privacy-conscious users have no recourse other than disabling the extension
- Doesn't address the valid fingerprinting concern
Open questions
- Does calling the real geolocation API (to trigger the prompt) cause any real location data to leak to the OS or browser telemetry?
- How do sites typically behave when
permissions.queryreturns "prompt" vs "granted" -- would changing this break common site patterns? - Should
watchPositionbehave differently fromgetCurrentPositionin prompt-preserving mode? - Is there a way to show a prompt without calling the real geolocation API (e.g. a custom in-page prompt from the extension)?