Firefox Announces Secure Contexts Everywhere for New Features
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Firefox Announces Secure Contexts Everywhere for New Features

All web-exposed features on Firefox must be served on HTTPS/TLS from now on

HTTPS is not just for websites, despite the fact that this is a common misconception. Granted, securing the connection between a website and a browser is the main job of HTTPS. But, there are certain ‘features’ that we use on websites that enhance our experience. These features include familiar names such as HTTP/2, Geolocation, Payment Request API, etc.

Until now, some of these features needed to be Secure Contexts (HTTPS-only). From now on, this is going to change. “Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” Anne van Kesteren wrote on the Mozilla blog yesterday.

Further explaining the “web-exposed” features falling under the umbrella of secure contexts he writes,

“Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR. In contrast, a new CSS color keyword would likely not be restricted to secure contexts.”

What are Secure Contexts?

As a result of a continuous push to encrypt the internet, we’re witnessing a remarkable migration to HTTPS. Undoubtedly, it’s a good thing. However, just a Green Padlock isn’t enough. Encrypting entire contexts is highly desirable, and that’s what ‘secure contexts’ is intended for.

Mozilla defines it as a Window or Worker for which:

“…there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are not secure is limited.”

Let’s make this clearer with an example. Suppose you have a website named and you have managed to orchestrate an awesome report highlighting the difference between a cat person and a dog person. But this document opens up in a new window that isn’t TLS delivered (without specifying noopener). This website is considered to be an ‘insecure context.’

To put it simply, all the pages – including the parent and opener pages – must be delivered securely to be termed as ‘secure contexts.’

Why Secure Contexts?

Modern-day websites aren’t just meant for web-surfing purposes—they do much more than that. Whether it’s facilitating communication through a microphone, deriving a user’s location (with permission of course), or detecting the motion of a device—these features are becoming a common thing as far as websites are concerned.

These features utilize sensitive data and thus pose a significant risk as far the privacy and credibility of data are concerned. If data is not secured through HTTPS, a hacker/attacker could eavesdrop or tamper with the data using a ‘man-in-the-middle’ attack.

Google announced these same changes to its browser, Chrome, in July of last year.

Current List of Secure Contexts-only Features in Major Browsers

For your reference, here’s a list of features restricted to secure context:

Additional Resources is a webpage that allows you to test a variety of powerful and permission-gated features over HTTP and HTTPS.


Jay Thakkar

After graduating from university with an engineering degree, Jay found his true passion as a writer…specifically, a cybersecurity writer. He’s now a Hashed Out staff writer covering encryption, privacy, cybersecurity best practices, and related topics.