I still don’t understand the reason behind “spoofing” your location when it is behind a prompt.
Yes, absolutely. If you do not want any location-dependent services, feel free to continue to decline location permissions.
However, GeoSpoof is for when you want to appear in a specific location. Example: modern websites are very very suspicious, so if you use a VPN to appear in Tokyo but block the geolocation prompt, the website will see a conflict:
IP Address: Tokyo
Geolocation API: Access denied
Timezone: Los Angeles (EST)
WebRTC: Los Angeles IP Address
Many websites will block the legitimate use of digital services because of these inconsistencies. Some websites literally will not work unless you grant geolocation access. Spoofing is the only way to satisfy the website’s technical requirements for location while still maintaining your privacy.
Testing it more. Noticing an issue. On every YT page, it says to refresh the page to apply protection. Does not work after refreshing and even a browser restart.
How soon upon opening a new page or a website from clicking a link does GeoSpoof begin working? How can one be sure GeoSpoof isn’t “leaking” or taking more time than needed to do its job because it kinda defeats the whole purpose if it works less than 100% of the time properly.
Also noticing that the extension frequently gives me the “error” with a yellow exclamation on the icon and then to green. It also sometimes upon the first loading of the page stays on with the error asking to refresh the page. Doesn’t it already defeat the purpose even if it works after?
Please check on your end for these bugs if you can reproduce them. I’m seeing these often. It would also be nice to see what exactly it was unable to spoof if there’s an error.
I have never heard of this before. Got any examples of sites that require geolocation?
Many, many examples such as live sports, television stremaing, some regulated industries like futures trading, gambling, banking, crypto. Digital services that require geolocation such as uber, doordash, instacart, etc. Also web development for quality-assurance testing actual customer workflows that depend on specific geolocations.
To be completely transparent, you have a right to privacy and to change data on your own device. Using this tool is not illegal unless used to commit actual fraud, identity theft, bypassing international sanctions, etc. I absolutely do not endorse any illegitimate or illegal use of this tool, this is purely in the interest of legitimate privacy use and development purposes.
Opening many of my bookmarks one after an other and randomly. It consistently doesn’t appear to work on the first web page load of any website and on some not at all. That’s enough testing for tonight. Will see more tomorrow. And will let you know here so you can keep improving.
Darn you though, given the swift response and fix I’m now only compelled to bump up my donation when I make it.
I encourage others to donate if you can spare a few. This seems like its definitely going to be a permanent addition to my extension list. The opportunity cost may as well be too high to not use especially with a VPN.
Was browsing and stumbled upon this. Made an account here to just say thanks for making this. Having been trying it for the past couple of hours and it works well. Kinda fixes the problem VPNs can’t.
I do wish there was a Chromium version of this to be used on Brave or Helium. But since it’s brand new, I understand if that may take time.
And reading this thread, glad to learn that you plan on keep maintaining it. Also surprised Mullvad Browser doesn’t have this built in especially when you’re using it coupled with Mullvad VPN.
Since this will interfere with the protections Mullvad Browser provides.
This is correct, this extension modifies browser APIs like navigator.geolocation, Date.prototype.getTimezoneOffset, and Intl.DateTimeFormat. Those overrides change the browser’s fingerprint to make it more unique and therefore, identifiable. I think it is most accurate to say this extension is less of a fingerprinting utility and more of a companion for VPN to fully mask your browser location.
I would recommend against using this with RFP or FPP (with JSDateTimeUTC) since it does not cover all timezone metrics.
This is also correct, I can put out an update to cover all of the date/time apis firefox exposes, though since the project was so new I was focused on only covering the most common ones. I am actually a bit suspicious that there are some deeper issues with RFP/FPP compatibility. Those features patch the timezone at the Gecko level which completely bypasses the JS script injected by this extension.
So when RFP is on, you are forcing engine-level UTC while the JS level in the extension is forcing the timezone of the spoofed geolocation. I will have to think more on how to properly handle this case, or if it should be handled at all
@sgro Is it intended that it directly feeds the “spoofed” location to every site that gets visited? There is no prompt anymore asking for permission to access the location and it grants it directly.
@sgro Is it intended that it directly feeds the “spoofed” location to every site that gets visited? There is no prompt anymore asking for permission to access the location and it grants it directly.
Yes, that is by design. When protection is enabled, the extension intercepts geolocation requests and returns the spoofed location directly, bypassing the browser’s permission prompt. Since the data returned is your chosen fake location (not your real one), there’s no privacy risk from the location itself. That said, I can see how some users would prefer to still be asked per-site.
This is something I’m considering for a future update - - potentially adding an option to preserve the permission prompt while still spoofing the coordinates when granted. Would you be interested in something like that?
From a fingerprinting perspective yes you have a point, but as I said before this extension is not necessarily a fingerprinting utility, it is more of a VPN companion that aligns your browser settings to match your VPN location. But you definitely have a point that overriding the prompt is probably not a good solution. I can prioritize a feature to preserve the prompt so users can reject it
To be able to install this extension on other Gecko based browsers, I’m also going to need a .xpi file to manually install it. I’m hoping this is possible?
Please consider this as well along with a couple other improvements mentioned thus far.
Do you have a list of location data that can be accessed with or without this prompt?
Like, there is no prompt for a site to get your timezone, so you should continue to spoof it, while you shouldn’t spoof data that is locked behind that prompt. If you had a list of all the data points similar to timezone where no prompt is required in the first place that would be useful.
I’m making github issues to track them all