This article is more than 1 year old

Mozilla edict: 'Web-accessible' features need 'secure contexts'

If an API or feature needs the 'net, it needs HTTPS under Mozilla's new plan

Mozilla has decided to further locking down the Internet with the announcement that developers can only access new Firefox features from what it calls “secure contexts”.

The decision means that sites wanting to fingerprint or snoop on users with web features will still be able to, but only over HTTPS. Outside snoops will therefore be excluded.

The announcement landed a couple of days ago in this blog post by Mozilla developer Anne van Kesteren.

While HTTPS has become a near-default for serious web sites, developers sometimes leave “bells-and-whistles” features on HTTP; even migrating all the images a site pulls from a separate server can be challenging.

Mozilla, however, has a long-standing drive to get rid of HTTP wherever possible, so “all new features that are web-exposed are to be restricted to secure contexts”.

The edict means that in the Mozilla environment, a bunch of W3C APIs can't be accessed over an insecure connection. According to Sophos, the features and APIs include geolocation (restricted since last year), Bluetooth, HTTP/2, web notifications, webcam and microphone access, Google's Brotli compression and Accelerated Mobile Pages, encrypted media extensions, the payment request API, and various “service workers” used in background sync and notification.

Van Kesteren wrote that the test for which features and APIs needed secure contexts is that they're web-exposed: “Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.

“In contrast, a new CSS colour keyword would likely not be restricted to secure contexts.”

El Reg notes that some of the interfaces present risks even if they're only used on encrypted links. The Bluetooth API has been criticised as invasive, and last year privacy researcher Lukasz Olejnik identified worrying information leaks in the Web Payments API. ®

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like