The Geolocation API specification has one of the best cross-browser support percentages of all HTML5 functionality. On ~81% of all browsers, some dating back 24 versions, it remains one of the most dependably implemented systems. However, even with all of this support, it comes with a major caveat and some often subtle problems.
For those browsers running within a context that have access to a GPS or similar device, the geolocation data will come from that source. Assuming the user has given permission for the application to do so, and especially on many mobile devices, the data supplied to the API will come from something local, either software or hardware related. This will all be handled in-code.
For those contexts without this access, though, the API will silently fall back to using online geolocation services, often Google’s. And on face value, this may not seem so bad. However, the specification dictates that semi-identifiable data like IP addresses and even access point names be sent in to determine location. Such information, depending on the location and user in question, has the possibly to “leak” much more than was intended.
Using such services also introduces the need to be connected to an outside network as well, negating the ability to go offline or disconnect from the Internet. Again, this is less of an issue for mobile devices with location services, but has the potential to introduce problems for those with such services turned off or for non-mobile users in certain settings.