Leaflet Geolocation error: Only secure origins are allowed

I described some reasons to switch to HTTPS on my website. To be completely honest though, I didn’t finally get off my ass do that for any of those good reasons. I did it because I was building a map thing which requested browser geolocation and I noticed geolocation stopped working in chrome.

I’ve seen this deprecation warning a few times:

“getCurrentPosition() and watchPosition() are deprecated on insecure origins. To use this feature, you should consider switching your application to a secure origin, such as HTTPS. See https://goo.gl/rStTGz for more details.”

But somehow didn’t take it seriously. But yes. New versions of chrome won’t do geolocation unless it’s a HTTPS site. See this for yourself with this very basic geolocation test page on w3schools (which is http). [Update: Originally this was http, and so didn’t work in chrome. w3schools have since gone https]

The javascript console still only shows it as a deprecation warning not an error, but if your web application was relying on this…  it broke.

(Update for Aug 2017) Firefox v55 is going with this lock-down too. It says “Geolocation error: User denied geolocation prompt” as a popup, and in the console “A Geolocation request can only be fulfilled in a secure context.”

Any sensible application should probably be watching out for failure cases with geolocation anyway (see later examples for handling errors), but even so I find it a bit surprising that any old websites using geolocation across the web will be broken. There’s a bit more info on this google developers page

If you use LeafletJS, there’s a map.locate method which presumably uses the same method internally (navigator.geolocation.getCurrentPosition), but leaflet also detects the Chrome failure and pops up a different error message…

“Geolocation error: Only secure origins are allowed (see: https://goo.gl/Y0ZkNV)..”

If you use chrome you can see this on my geolocate example (http) here:


…and    *Trumpet noise*   see it fixed with the newly available https URL:


2 thoughts on “Leaflet Geolocation error: Only secure origins are allowed

  1. I’ve also been lazy and not bothered with https as I use firefox. But after reading this perhaps it’s time. Did you have to buy a certificate?

    1. No. It always used to be a thing you pay for, but letsencrypt are doing the basic kind of certificate for free. Too good to be true? Maybe not. “Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG), a public benefit organization” (wikipedia) Nice!

Leave a Reply

Your email address will not be published.