Mozilla Pushes for “Secure Contexts” – All New Features Coming to Firefox Will Be Restricted to HTTPS 

Author Photo
Jan 17, 2018
16Shares
Submit

Mozilla has announced this week that all the new features coming to its Firefox browser will be served over a secure HTTPS connection. “Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” the company said. “Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc.”

Wondering what a secure context is? It’s basically a design that ensures that the content is being delivered securely via HTTPS/TLS. The goal of secure contexts is to prevent man-in-the-middle (MitM) attackers from accessing powerful APIs that could compromise the victim of an attack.

firefox-facebokRelated Mozilla’s Second Hit at Facebook: Introduces “Facebook Container” to Make It Harder for FB to Track Your Activity

This means that any new feature – whether it’s an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, or bigger features such as WebVR – would be required to carry communications via HTTPS. This, however, won’t affect the existing features as the company said it will consider all the features and standards on a “case-by-case basis” eventually moving completely to secure contexts.

Exceptions to requiring secure contexts

There is room for exceptions, provided justification is given to the dev.platform mailing list. This can either be inside the “Intent to Implement/Ship” email or a separate dedicated thread. It is up to Mozilla’s Distinguished Engineers to judge the outcome of that thread and ensure the dev.platform mailing list is notified. Expect to be granted an exception if:

  • other browsers already ship the feature insecurely
  • it can be demonstrated that requiring secure contexts results in undue implementation complexity.

The company’s decision follows a similar strategy from Google that has moved on to secure contexts with its Chrome browser. Mozilla also launched its Let’s Encrypt project pushing the web traffic to HTTPS. The company announced last year that nearly 65% of web pages loaded by Firefox used HTTPS. In contrast only 45% used the secure connection at the end of 2016.

Submit