Comment by rickdeckard
16 hours ago
Seems to be quite simple, an App which wants to access this info just needs to set the permission for it.
Chrome doesn't seem to request that permission, so the OS doesn't provide the location-data to the app. So Chrome rather ended up in this state by doing nothing, not by explicitly doing something...
If your app targets Android 10 (API level 29) or higher and needs to retrieve unredacted EXIF metadata from photos, you need to declare the ACCESS_MEDIA_LOCATION permission in your app's manifest, then request this permission at runtime.
Source: https://developer.android.com/training/data-storage/shared/m...
That's not sufficient. We need a standardized attribute on the HTML form to request the permission as well. If Chrome requests the permission, great, but that's not fine-grained enough for a web browser.
Well yes, agree, but as stated Chrome didn't end up with this behavior because they did something, the Browser behaves like this because they didn't implement any logic for this permission.
A standardized attribute on an HTML-form would be difficult to define, because in this context the page just requests/receives a binary file, so a generic "strip embedded location information" decision from the user would be hard to enforce and uphold (also, by whom?).
In this case Android only knows the file-structure and EXIF because the file is requested by Chrome from a Media Library in the OS, not a file-manager.
W3C keeps thinking about this data-minimization topic repeatedly [0], so far they managed to define the principles [1], but enforcing them technically is quite hard if any kind of content can be submitted from a storage to a webpage...
[0] https://www.w3.org/blog/2019/adding-another-permission/
[1] https://www.w3.org/TR/security-privacy-questionnaire/#data-m...