Geolocation API from custom widget

I’m working on a custom widget for a field data collection interface. I’m calling the Geolocation API to get the user’s location (Geolocation.getCurrentPosition()) but I’m getting the following error:
“ERROR(1): User denied geolocation prompt”
But there was no prompt displayed. Is this an XSS issue? Is there a way to accomplish this in a custom widget?

Custom widgets are shown in an iframe. Perhaps the iframe will need an allow="geolocation" attribute to allow the API you want. Are you self-hosting or using our hosted service?

Yes, that’s it!
I am using your hosted service (with the widget source hosted on my own server). I added the allow=“geolocation” to the iframe tag using the browser inspector, reloaded the iframe, and it worked (got the prompt and then successfully queried the location). Of course, it fails as soon as the page is refreshed. So, is there a way for me to specify this permission for my custom widget (e.g. a tag in the custom URL)?

Do I need to self-host for this to work?

To set allow="geolocation" for all custom widgets would currently require a code change in Grist (perhaps here I would guess I asked about self-hosting vs hosted since if you were self-hosting it is a change you could potentially make yourself. For the hosted service, we need to think through whether it is reasonable to enable this globally, or what a good UI for configuring it on individual widgets might be.

OK, thanks Paul.
If you were going to support this, maybe just adding an optional tag in the custom URL would be enough. However, it seems like the Permissions-Policy mechanism is still in flux and not supported on many browsers, so maybe this is currently moot.