Also a great way to share cookies, avoid CORS, and probably a zillion other complexities that result from running on multiple subdomains.

https://www.openstreetmap.org

It's a very strange move indeed. maps.google.com implies an application lives there, far better than being on the root domain.

It also means that when you start typing maps.google, you'd get all your history searchable related to maps, although arguably that's useless.

I can't think of a reason why this would be a good technical move for Google (ignoring the don't do evil thingie), other than simplifying... certificates? Less lines in the firewall config... I'm stretching here, help me understand.

I'm wondering how much time browsers will take to implement URL match permission granting.

    Privacy and intimacy
    As we know it
    Will be a memory
    Among many to be passed down
    To those who never knew
    Living in the pupil of one thousand eyes

Google maps is pretty much one of the only Google products that I still actively use. It's funny that this article was written and published today, since I had noticed the exact same thing yesterday! Does anyone know when it first started?

huh? You were always able to share sub-domain cookies with top-level domain cookies no?

Set-Cookie: name=value; domain=google.com

This is also so they can invade your privacy, and correlate all of your searches to your geolocation.

I wonder if this is why the mega-app model is so common for Chinese companies. It's far easier to justify collecting a million permissions when your app does a million things.

As others have noticed, this is not a new move. For the past several years I've been accessing Google Maps simply by typing in maps.google.com and it has always redirected me to google.com/maps.

Its reverse for translate. https://google.com/translate redirects to translate.google.com

> Congratulations, you now have permission to geo-track me across all of your services.

I don't think Google needed to do this move to track you across their services. Pretty sure they were able to do that before.

Recently safari (on macos 10.15) started auto completing „maps.“ to „maps.apple.com“, although I only tried Apple maps once and always use gmaps. Maybe google noticed this and tries to circumvent safari‘s „preference“ for Apple Maps

Has this not been the case for a while? I think I've been getting /maps for at least the past year.

I think this change probably has more to do with corporate firewalls than anything else. A lot of corporate internet access isn't set up to MITM the requests (a lot of places are setup for this, but a lot aren't). If they places all their services under google.com as suffixes, places that don't MITM won't have any way of stopping it as all they can see is the request to google.com.

This is a fantastic example of motivated reasoning. This "change" (which apparently isn't even new) can have so many different reasons, some of which are less harmful and some of which are probably worse (privacy-wise) than the one mentioned here. There is no indication that re/mis-using permissions is specifically what they wanted to do here, there is also no example of them doing it right now. Don't get me wrong, there is also no evidence that this isn't the real reason and that they wouldn't do that in the future. But the blog post basically list a single symptom and jumps right to the one conclusion that fits what the author expects.

Funny thing is, it depends on your threat model.

Using google.com/XXX for all its services protect the user from being spied by external actors such as ISP because everything is hidden behind HTTPS.

Whereas, with XXX.google.com, external actors knows that you are using service XXX.

Genuine question. Is it reasonable as a user to expect data collected by Google via maps.google.com to not be shared with other Google applications e.g. mail.google.com?

I'd have thought data collected on any of their domains would be meshed/merged behind the scenes where it suits them to do so?

I got this a couple of years ago, and noticed immediately. Just as quickly denied the request, because I have fingers and can type my current address. It's a minor inconvenience.

It asked my for the permission earlier. I thought I'd granted it already and I didn't notice the sneaky domain switch, I've now revoked it.

I wish browsers had a more granular way to grant this and other permissions. E.g. Firefox just has allow/deny, and then "remember".

Granting it only if the user clicks the "show my location" UI element on the web page would be a closer match to user expectations, and would preclude pages from getting the permission in the background.

Of course that would introduce extra complexity, e.g. worrying about web pages sneakily making normal looking links the "get location" UX element.

There's probably no secure way to do it except for the webpage to communicate that it's a page that might want your location, and for the browser to show the "send my location" UX element itself (e.g. in the toolbar).

I recall from my time in Google Geo years ago that the idea of integrating Search and Maps was a big part of the "New Maps" release that happened around 2014. The rumor I heard was that someone (possibly even Larry himself) wanted to be able to have interactive maps directly on the search results page, so that the navigation from a search query to a map wouldn't involve even a page reload. So the big Maps frontend rewrite actually ended up merging MFE into GWS, the web search frontend server. I recall seeing maps hosted at google.com/maps around that time, but I don't know if that was ever launched fully or if it was just an experiment.

In any case, though, my understanding is that the technical capacity for this has existed for nearly 10 years now, just behind a configuration setting. So it's possible that this change is just a code cleanup. It's also possible that someone is trying to increase the percentage of searches that have location information, that doesn't seem terribly far-fetched either, and I can imagine lots of ways people could try to rationalize it as actually benefiting users. (Whether it actually does benefit users is of course debatable.)

I noticed that Google Search itself has very recently become much more aggressive about asking for location permission. Coincidence, or is collecting more location data someone high up’s KPI for the year?

This is actually something that browsers can mitigate. Allow users to give tracking permissions not only for subdomains, but also for paths.

    Deny: google.com/*
    Allow: google.com/flights

Something like that.

...this redirect has been in place for years. Honestly maybe even a decade at this point, it's been a long time.

This changed yesterday?What the hell? Don't you people know there's a freeze going on?