Mozilla edict: 'Web-accessible' features need 'secure contexts'

If an API or feature needs the 'net, it needs HTTPS under Mozilla's new plan

By Richard Chirgwin

Posted in Security, 18th January 2018 07:55 GMT

Mozilla has decided to further locking down the Internet with the announcement that developers can only access new Firefox features from what it calls “secure contexts”.

The decision means that sites wanting to fingerprint or snoop on users with web features will still be able to, but only over HTTPS. Outside snoops will therefore be excluded.

The announcement landed a couple of days ago in this blog post by Mozilla developer Anne van Kesteren.

While HTTPS has become a near-default for serious web sites, developers sometimes leave “bells-and-whistles” features on HTTP; even migrating all the images a site pulls from a separate server can be challenging.

Mozilla, however, has a long-standing drive to get rid of HTTP wherever possible, so “all new features that are web-exposed are to be restricted to secure contexts”.

The edict means that in the Mozilla environment, a bunch of W3C APIs can't be accessed over an insecure connection. According to Sophos, the features and APIs include geolocation (restricted since last year), Bluetooth, HTTP/2, web notifications, webcam and microphone access, Google's Brotli compression and Accelerated Mobile Pages, encrypted media extensions, the payment request API, and various “service workers” used in background sync and notification.

Van Kesteren wrote that the test for which features and APIs needed secure contexts is that they're web-exposed: “Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.

“In contrast, a new CSS colour keyword would likely not be restricted to secure contexts.”

El Reg notes that some of the interfaces present risks even if they're only used on encrypted links. The Bluetooth API has been criticised as invasive, and last year privacy researcher Lukasz Olejnik identified worrying information leaks in the Web Payments API. ®

Sign up to our NewsletterGet IT in your inbox daily

23 Comments

More from The Register

Mozilla whips out Rusty new Firefox Quantum (and that's a good thing)

Landmark build promises to be faster, slimmer, better at multi-threading

Mozilla extends, and ends, Firefox support for Windows XP and Vista

Even Extended Support Releases will be naked and alone as of June 2018

Mozilla offers sysadmins a Policy Engine for roll-your-own Firefox installs

And warms to a kind of speculative execution for Tabs, too. Really.

Mozilla and Yahoo! trade sueballs over Firefox-Google search deal

'Your search is trash and you stopped paying ' vs. 'we had a deal you can't walk away from'

Mozilla abandons experimental Aurora Firefox channel

New builds from Nightly to Beta

Firefox 54 delivers sandboxes Mozilla's wanted since 2009

Project Electrolysis means Firefox spawns four processes and shares them between tabs

Mozilla's creepy Mr Robot stunt in Firefox flops in touching tribute to TV show's 2nd season

Updated This is the browser maker's Apple U2 moment

The Quantum of Firefox: Why is this one unlike any other Firefox?

Interview 57: Mozilla's big bid for relevance

Firefox to emit ‘occasional sponsored story’ in ads test

Privacy preserved, promise, because Mozilla wants to reinvent web ads

Mozilla launches 'privacy edition' Firefox... that phones home

You had one job, Mozilla. One job