Firefox Announces Secure Contexts Everywhere for New Features
All web-exposed features on Firefox must be served on HTTPS/TLS from now on
HTTPS is not just for websites, despite the fact that this is a common misconception. Granted, securing the connection between a website and a browser is the main job of HTTPS. But, there are certain ‘features’ that we use on websites that enhance our experience. These features include familiar names such as HTTP/2, Geolocation, Payment Request API, etc.
Until now, some of these features needed to be Secure Contexts (HTTPS-only). From now on, this is going to change. “Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” Anne van Kesteren wrote on the Mozilla blog yesterday.
Further explaining the “web-exposed” features falling under the umbrella of secure contexts he writes,
“Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR. In contrast, a new CSS color keyword would likely not be restricted to secure contexts.”
What are Secure Contexts?
As a result of a continuous push to encrypt the internet, we’re witnessing a remarkable migration to HTTPS. Undoubtedly, it’s a good thing. However, just a Green Padlock isn’t enough. Encrypting entire contexts is highly desirable, and that’s what ‘secure contexts’ is intended for.
Mozilla defines it as a Window or Worker for which:
“…there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are not secure is limited.”
Let’s make this clearer with an example. Suppose you have a website named https://example.com and you have managed to orchestrate an awesome report highlighting the difference between a cat person and a dog person. But this document opens up in a new window that isn’t TLS delivered (without specifying noopener). This website is considered to be an ‘insecure context.’
To put it simply, all the pages – including the parent and opener pages – must be delivered securely to be termed as ‘secure contexts.’
Why Secure Contexts?
Modern-day websites aren’t just meant for web-surfing purposes—they do much more than that. Whether it’s facilitating communication through a microphone, deriving a user’s location (with permission of course), or detecting the motion of a device—these features are becoming a common thing as far as websites are concerned.
These features utilize sensitive data and thus pose a significant risk as far the privacy and credibility of data are concerned. If data is not secured through HTTPS, a hacker/attacker could eavesdrop or tamper with the data using a ‘man-in-the-middle’ attack.
Google announced these same changes to its browser, Chrome, in July of last year.
Current List of Secure Contexts-only Features in Major Browsers
For your reference, here’s a list of features restricted to secure context:
Additional Resources
Permission.site is a webpage that allows you to test a variety of powerful and permission-gated features over HTTP and HTTPS.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown