Mozilla edict: 'Web-accessible' features need 'secure contexts'

If an API or feature needs the 'net, it needs HTTPS under Mozilla's new plan

By Richard Chirgwin


Mozilla has decided to further locking down the Internet with the announcement that developers can only access new Firefox features from what it calls “secure contexts”.

The decision means that sites wanting to fingerprint or snoop on users with web features will still be able to, but only over HTTPS. Outside snoops will therefore be excluded.

The announcement landed a couple of days ago in this blog post by Mozilla developer Anne van Kesteren.

While HTTPS has become a near-default for serious web sites, developers sometimes leave “bells-and-whistles” features on HTTP; even migrating all the images a site pulls from a separate server can be challenging.

Mozilla, however, has a long-standing drive to get rid of HTTP wherever possible, so “all new features that are web-exposed are to be restricted to secure contexts”.

The edict means that in the Mozilla environment, a bunch of W3C APIs can't be accessed over an insecure connection. According to Sophos, the features and APIs include geolocation (restricted since last year), Bluetooth, HTTP/2, web notifications, webcam and microphone access, Google's Brotli compression and Accelerated Mobile Pages, encrypted media extensions, the payment request API, and various “service workers” used in background sync and notification.

Van Kesteren wrote that the test for which features and APIs needed secure contexts is that they're web-exposed: “Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.

“In contrast, a new CSS colour keyword would likely not be restricted to secure contexts.”

El Reg notes that some of the interfaces present risks even if they're only used on encrypted links. The Bluetooth API has been criticised as invasive, and last year privacy researcher Lukasz Olejnik identified worrying information leaks in the Web Payments API. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Sophos SafeGuard anything but – thanks to 7 serious security bugs

Your antimalware tools can get malware too, so get updating

Look, what's that over there? Sophos nips Windows DNS DLL false positive in the bud

Temporary file during update shuffled off to quarantine

Mozilla wants to seduce BOFHs with button-down Firefox

Control. Control. Control

Mozilla-endorsed security plug-in accused of tracking users

Web Security says there's nothing nefarious to its URL collection

Mozilla accuses FCC of abdicating its role, ignoring comments in net neutrality lawsuit

Legal battle #433 over Pai's push to kill off rules

Creepy or super creepy? That is the question Mozilla's throwing at IoT Christmas pressies

'Tis the season to be tracked by your connected water bottle

No D'oh! DNS-over-HTTPS passes Mozilla performance test

Privacy-protecting domain name system standard closer

Mozilla changes Firefox policy from ‘do not track’ to ‘will not track’

Browser will stop asking nicely for privacy protections

Mozilla grants distrusted Symantec certs a stay of execution, claims many sites yet to make switch

Delay 'in the overall best interest' of Firefox users

Your RSS is grass: Mozilla euthanizes feed reader, Atom code in Firefox browser, claims it's old and unloved

The Live bookmarks, preview features, that is