Quick answer: The geolocation directive controls whether a document or embedded frame may access location through the Geolocation API (getCurrentPosition and watchPosition). Disallow it everywhere with the response header Permissions-Policy: geolocation=(). Allow only your own origin with Permissions-Policy: geolocation=(self). When blocked, location requests fail with a permission-denied error and no prompt appears.
consent-required

geolocation

The geolocation policy controls whether the current document is allowed to use the Geolocation interface. If disabled in any document, calls to both getCurrentPosition and watchPosition must result in the error callback being invoked with PERMISSION_DENIED.

How to apply this policy

Send the following HTTP header to control the geolocation policy, and disallow it on all origins:

Feature-Policy: geolocation 'none'

Does it work?

Currently Firefox, and Chromium based browsers, such as Google Chrome, Samsung Internet, and Opera, are the only user-agents to support Feature Policy. The minimum version that correctly recognises the geolocation policy is:

Mozilla Firefox

65+

Google Chrome

60+

Microsoft Edge

Not supported

Apple Safari

Not supported

Discussion