There's only one JS file loaded from the HN main page - and it's 150 non-obfuscated lines long (nothing that would trigger location request, that's for sure!).
Unless there is shenanigans, it sounds like something is getting injected into your web responses.