Firefox Announces Secure Contexts Everywhere for New Features
1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...

Firefox Announces Secure Contexts Everywhere for New Features

All web-exposed features on Firefox must be served on HTTPS/TLS from now on

HTTPS is not just for websites, despite the fact that this is a common misconception. Granted, securing the connection between a website and a browser is the main job of HTTPS. But, there are certain ‘features’ that we use on websites that enhance our experience. These features include familiar names such as HTTP/2, Geolocation, Payment Request API, etc.

Until now, some of these features needed to be Secure Contexts (HTTPS-only). From now on, this is going to change. “Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” Anne van Kesteren wrote on the Mozilla blog yesterday.

Further explaining the “web-exposed” features falling under the umbrella of secure contexts he writes,

“Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR. In contrast, a new CSS color keyword would likely not be restricted to secure contexts.”

What are Secure Contexts?

As a result of a continuous push to encrypt the internet, we’re witnessing a remarkable migration to HTTPS. Undoubtedly, it’s a good thing. However, just a Green Padlock isn’t enough. Encrypting entire contexts is highly desirable, and that’s what ‘secure contexts’ is intended for.

Mozilla defines it as a Window or Worker for which:

“…there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are not secure is limited.”

Let’s make this clearer with an example. Suppose you have a website named https://example.com and you have managed to orchestrate an awesome report highlighting the difference between a cat person and a dog person. But this document opens up in a new window that isn’t TLS delivered (without specifying noopener). This website is considered to be an ‘insecure context.’

To put it simply, all the pages – including the parent and opener pages – must be delivered securely to be termed as ‘secure contexts.’

Why Secure Contexts?

Modern-day websites aren’t just meant for web-surfing purposes—they do much more than that. Whether it’s facilitating communication through a microphone, deriving a user’s location (with permission of course), or detecting the motion of a device—these features are becoming a common thing as far as websites are concerned.

These features utilize sensitive data and thus pose a significant risk as far the privacy and credibility of data are concerned. If data is not secured through HTTPS, a hacker/attacker could eavesdrop or tamper with the data using a ‘man-in-the-middle’ attack.

Google announced these same changes to its browser, Chrome, in July of last year.

Current List of Secure Contexts-only Features in Major Browsers

For your reference, here’s a list of features restricted to secure context:

https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts

Additional Resources

Permission.site is a webpage that allows you to test a variety of powerful and permission-gated features over HTTP and HTTPS.

1 comment
  • […] In line with its recent announcement to restrict all-web exposed features to HTTPS, Firefox has announced that AppCache must be served over HTTPS, too. Application Cache (AppCache) facilitates a caching mechanism for the website admins who want to run their sites offline. Right now, it can be availed for HTTP as well as HTTPS pages. However, with the launch of Firefox 62 in September 2018, only the HTTPS pages will be able to include this feature. In other words, Firefox has restricted AppCache to Secure Contexts. […]

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Jay Thakkar

After graduating from university with an engineering degree, Jay found his true passion as a writer…specifically, a cybersecurity writer. He’s now a Hashed Out staff writer covering encryption, privacy, cybersecurity best practices, and related topics.