All web-exposed features on Firefox must be served on HTTPS/TLS from now on
HTTPS is not just for websites, despite the fact that this is a common misconception. Granted, securing the connection between a website and a browser is the main job of HTTPS. But, there are certain ‘features’ that we use on websites that enhance our experience. These features include familiar names such as HTTP/2, Geolocation, Payment Request API, etc.
Until now, some of these features needed to be Secure Contexts (HTTPS-only). From now on, this is going to change. “Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” Anne van Kesteren wrote on the Mozilla blog yesterday.
Further explaining the “web-exposed” features falling under the umbrella of secure contexts he writes,
What are Secure Contexts?
As a result of a continuous push to encrypt the internet, we’re witnessing a remarkable migration to HTTPS. Undoubtedly, it’s a good thing. However, just a Green Padlock isn’t enough. Encrypting entire contexts is highly desirable, and that’s what ‘secure contexts’ is intended for.
Mozilla defines it as a Window or Worker for which:
“…there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are not secure is limited.”
Let’s make this clearer with an example. Suppose you have a website named https://example.com and you have managed to orchestrate an awesome report highlighting the difference between a cat person and a dog person. But this document opens up in a new window that isn’t TLS delivered (without specifying noopener). This website is considered to be an ‘insecure context.’
To put it simply, all the pages – including the parent and opener pages – must be delivered securely to be termed as ‘secure contexts.’
Why Secure Contexts?
Modern-day websites aren’t just meant for web-surfing purposes—they do much more than that. Whether it’s facilitating communication through a microphone, deriving a user’s location (with permission of course), or detecting the motion of a device—these features are becoming a common thing as far as websites are concerned.
These features utilize sensitive data and thus pose a significant risk as far the privacy and credibility of data are concerned. If data is not secured through HTTPS, a hacker/attacker could eavesdrop or tamper with the data using a ‘man-in-the-middle’ attack.
Current List of Secure Contexts-only Features in Major Browsers
For your reference, here’s a list of features restricted to secure context:
Permission.site is a webpage that allows you to test a variety of powerful and permission-gated features over HTTP and HTTPS.