The navigator.geolocation.watchPosition function call doesn't work with sandboxed iframes where allow-same-origin is not specified (so the iframe counts as a unique and anonymous origin). I guess that making the sandboxed iframe not inherit the permission to use the the geolocation API of the site that contains is a sensible decision. Personally, I would like to have some way of creating sandboxed iframes that can also use the geolocation API but I can understand if that is not implemented. However, a sandboxed iframe also does not receive a permission error when it uses the geolocation API which is completely wrong and makes the situation really hard to debug. Perhaps, the bug at https://bugzilla.mozilla.org/show_bug.cgi?id=675533 is related somehow?