All “Secure Contexts” Only Features In Chrome
Complete List of HTTPS-Only Features in Chrome
In order to keep users secure, Chrome has restricted a number of features to “secure origins” only. On the web, this usually means the feature is only available if your website uses HTTPS.
This is part of an initiative by google known as “Deprecating Powerful Features on Insecure Origins.” In plain language this means that browser features which access your device (e.g. local storage, microphone) or sensitive user data can only be used with a secure connection.
This applies to both existing features/APIs and new ones. Some features, such as the Google-championed Service Worker API were designed with the expectation that they can only be used securely.
“Secure origins” or “secure contexts” include a variety of schemes and hosts. The most popular of these would be HTTPS and localhost. All secure origins are defined here by Google. There is also a W3C candidate specification defining secure context for those that like to read internet standards.
For many of these features a specific removal date/version has not been given. This is because Chrome’s developers look at real-world use of these features and may decide to delay removal until developers are ready. In general, they like to wait until insecure use of a feature drops below 0.03% of all page loads before removing a feature’s ability to work on insecure origins.
Keeping track of the details can be a bit difficult, so we put together a list of features already restricted to secure origins and which ones are on the chopping block.
Powerful Features? What are they?
What makes a feature powerful?
According to Google’s definition it is any feature which “handle personally-identifiable information… handle high-value information like credentials or payment instruments…[or] provide the origin with control over the UA’s trustworthy/native UI, access to sensors on the user’s device, or generally any feature that we would provide a user-settable permission or privilege to.”
In a Wired interview from last year, one of Chrome’s security leads explained that in order “to compete with mobile apps,” Google wants “wants web pages to be able to reach deeper into your computer’s resources, accessing the same sensitive information, like location and offline data, that apps routinely use. But if the web’s tendrils are going to extend further into our private lives, they first need to be secure.” That involves a number of initiatives to make Chrome safer, and securing powerful features is one of them.
Note that the below list of powerful features will grow over time. Any feature which would require the user to grant permission is a good candidate for a powerful feature.
Check back with this document as it will be updated as Google releases new information. Please leave a comment if you have any questions on features you may be concerned about or need clarity on.
Secure Origin-Only Features
These are features that are currently restricted to HTTPS or other secure origins.
Feature/API | When? | Notes |
getUserMedia
(Webcam and Microphone) |
Version 47
~December 2015 |
|
Geolocation | Version 50
~April 2016 |
Announcement post.
|
EME
(Encrypted Media Extension) |
Version 58 ~April 2017 |
Announcement post. |
Service Workers | Version 40 ~January 2015 |
Has required HTTPS since it’s initial introduction. |
Web Bluetooth | Version 56 ~January 2017 |
Has required HTTPS since it’s initial introduction. |
WebCrypto | Version 37 ~August 2014 |
Has required HTTPS since it’s initial introduction. |
Future Changes
These are features which will be restricted to HTTPS or other secure origins in upcoming versions of Chrome.
Feature/API | When? | Notes |
Application Cache
(AppCache) |
N/A | AppCache in its entirety is deprecated and no longer recommended, even over HTTPS.
The Cache API, which is part of Service Workers, should be used instead.
In Chrome, the AppCache API has been deprecated since the release of Version 52 in July 2016 but it has not yet been removed. |
Device Motion / Orientation | N/A | |
Fullscreen | N/A | |
Notifications | Version 61
~September 2017 |
Official platform status.
Console warning currently shown when using |
Additional Resources
These may help…
Permission.site is a webpage that allows you to test a variety of powerful and permission-gated features over HTTP and HTTPS.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown