Because you are calling the geolocation from a content script, the context of the target page is used and the request looks like it's coming from the target page. So each different domain must be authorized. (Content scripts are essentially injected javascript with enhanced privileges.)
To avoid the need for domain-by-domain permission, call the geolocation API (which is an HTML5 API, not a chrome.* API) from an Event Page.
Here's a complete extension that demonstrates the process:
manifest.json:
{
"manifest_version": 2,
"permissions": ["geolocation"],
"content_scripts": [ {
"js": [ "main.js" ],
"matches": [ "<all_urls>" ]
} ],
"background": {
"scripts": ["eventPage.js"],
"persistent": false
},
"name": "_Read browser location",
"description": "See SO Q 18307051. Scarf location without spamming warnings",
"version": "1"
}
main.js:
chrome.runtime.sendMessage ( {command: "gimmeGimme"}, function (response) {
console.log (response.geoLocation);
} );
eventPage.js:
chrome.runtime.onMessage.addListener (
function (request, sender, sendResponse) {
if (request.command == "gimmeGimme") {
navigator.geolocation.getCurrentPosition (function (position) {
sendResponse ( {
geoLocation: (
"latitude=" + position.coords.latitude
+ ", longitude=" + position.coords.longitude
)
} );
} );
return true; // Needed because the response is asynchronous
}
}
);