(No Ratings Yet)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

July 21, 2017 Comments closed

All “Secure Contexts” Only Features In Chrome

in Industry Lowdown

Complete List of HTTPS-Only Features in Chrome

In order to keep users secure, Chrome has restricted a number of features to “secure origins” only. On the web, this usually means the feature is only available if your website uses HTTPS.

This is part of an initiative by google known as “Deprecating Powerful Features on Insecure Origins.” In plain language this means that browser features which access your device (e.g. local storage, microphone) or sensitive user data can only be used with a secure connection.

This applies to both existing features/APIs and new ones. Some features, such as the Google-championed Service Worker API were designed with the expectation that they can only be used securely.

“Secure origins” or “secure contexts” include a variety of schemes and hosts. The most popular of these would be HTTPS and localhost. All secure origins are defined here by Google. There is also a W3C candidate specification defining secure context for those that like to read internet standards.

For many of these features a specific removal date/version has not been given. This is because Chrome’s developers look at real-world use of these features and may decide to delay removal until developers are ready. In general, they like to wait until insecure use of a feature drops below 0.03% of all page loads before removing a feature’s ability to work on insecure origins.

Keeping track of the details can be a bit difficult, so we put together a list of features already restricted to secure origins and which ones are on the chopping block.

Powerful Features? What are they?

What makes a feature powerful?

According to Google’s definition it is any feature which “handle personally-identifiable information… handle high-value information like credentials or payment instruments…[or] provide the origin with control over the UA’s trustworthy/native UI, access to sensors on the user’s device, or generally any feature that we would provide a user-settable permission or privilege to.”

In a Wired interview from last year, one of Chrome’s security leads explained that in order “to compete with mobile apps,” Google wants “wants web pages to be able to reach deeper into your computer’s resources, accessing the same sensitive infor­mation, like location and offline data, that apps routinely use. But if the web’s tendrils are going to extend further into our private lives, they first need to be secure.” That involves a number of initiatives to make Chrome safer, and securing powerful features is one of them.

Note that the below list of powerful features will grow over time. Any feature which would require the user to grant permission is a good candidate for a powerful feature.

Check back with this document as it will be updated as Google releases new information. Please leave a comment if you have any questions on features you may be concerned about or need clarity on.

Secure Origin-Only Features

These are features that are currently restricted to HTTPS or other secure origins.

Feature/API	When?	Notes
getUserMedia (Webcam and Microphone)	Version 47 ~December 2015
Geolocation	Version 50 ~April 2016	Announcement post.   Google Developer’s announcement.
EME (Encrypted Media Extension)	Version 58 ~April 2017	Announcement post. Chrome Bug Tracker.
Service Workers	Version 40 ~January 2015	Has required HTTPS since it’s initial introduction.
Web Bluetooth	Version 56 ~January 2017	Has required HTTPS since it’s initial introduction.
WebCrypto	Version 37 ~August 2014	Has required HTTPS since it’s initial introduction.

Future Changes

These are features which will be restricted to HTTPS or other secure origins in upcoming versions of Chrome.

Feature/API	When?	Notes
Application Cache (AppCache)	N/A	AppCache in its entirety is deprecated and no longer recommended, even over HTTPS.   The Cache API, which is part of Service Workers, should be used instead.   In Chrome, the AppCache API has been deprecated since the release of Version 52 in July 2016 but it has not yet been removed.
Device Motion / Orientation	N/A
Fullscreen	N/A
Notifications	Version 61 ~September 2017	Official platform status. Console warning currently shown when using

 

Additional Resources

These may help…

Permission.site is a webpage that allows you to test a variety of powerful and permission-gated features over HTTP and HTTPS.

• #Google
• #Google Chrome
• #Permissions