Mozilla edict: 'Web-accessible' features need 'secure contexts'

If an API or feature needs the 'net, it needs HTTPS under Mozilla's new plan

By Richard Chirgwin

Posted in Security, 18th January 2018 07:55 GMT

Mozilla has decided to further locking down the Internet with the announcement that developers can only access new Firefox features from what it calls “secure contexts”.

The decision means that sites wanting to fingerprint or snoop on users with web features will still be able to, but only over HTTPS. Outside snoops will therefore be excluded.

The announcement landed a couple of days ago in this blog post by Mozilla developer Anne van Kesteren.

While HTTPS has become a near-default for serious web sites, developers sometimes leave “bells-and-whistles” features on HTTP; even migrating all the images a site pulls from a separate server can be challenging.

Mozilla, however, has a long-standing drive to get rid of HTTP wherever possible, so “all new features that are web-exposed are to be restricted to secure contexts”.

The edict means that in the Mozilla environment, a bunch of W3C APIs can't be accessed over an insecure connection. According to Sophos, the features and APIs include geolocation (restricted since last year), Bluetooth, HTTP/2, web notifications, webcam and microphone access, Google's Brotli compression and Accelerated Mobile Pages, encrypted media extensions, the payment request API, and various “service workers” used in background sync and notification.

Van Kesteren wrote that the test for which features and APIs needed secure contexts is that they're web-exposed: “Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.

“In contrast, a new CSS colour keyword would likely not be restricted to secure contexts.”

El Reg notes that some of the interfaces present risks even if they're only used on encrypted links. The Bluetooth API has been criticised as invasive, and last year privacy researcher Lukasz Olejnik identified worrying information leaks in the Web Payments API. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Mozilla wants to seduce BOFHs with button-down Firefox

Control. Control. Control

Mozilla rejects your reality and substitutes its own … browser for VR and AR goggles

Enter another dimension, not only of sight and sound but of mind …

Mozilla pulls ads from Facebook after spat over privacy controls

UK advertisers' society has also fired a warning shot

Aw, all grown up: Mozilla moves WebAssembly into sparsely furnished Studio apartment

Invites devs for tour amid ongoing construction

Mozilla sends more snooping Web APIs to smartphone Siberia

Light and proximity sensors blocked for Firefox 62

Mozilla releases voice dataset and transcription engine

Baidu's Deep Speech with TensorFlow under the covers

Mozilla devs discuss ditching Dutch CA, because cryptowars

We don' want no STEENKIN' proxies, as will be possible under new local laws

Mozilla and Yahoo! trade sueballs over Firefox-Google search deal

'Your search is trash and you stopped paying ' vs. 'we had a deal you can't walk away from'

Mozilla whips out Rusty new Firefox Quantum (and that's a good thing)

Landmark build promises to be faster, slimmer, better at multi-threading

Mozilla extends, and ends, Firefox support for Windows XP and Vista

Even Extended Support Releases will be naked and alone as of June 2018