Mozilla Pushes for “Secure Contexts” – All New Features Coming to Firefox Will Be Restricted to HTTPS
Wondering what a secure context is? It’s basically a design that ensures that the content is being delivered securely via HTTPS/TLS. The goal of secure contexts is to prevent man-in-the-middle (MitM) attackers from accessing powerful APIs that could compromise the victim of an attack.
This means that any new feature – whether it’s an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, or bigger features such as WebVR – would be required to carry communications via HTTPS. This, however, won’t affect the existing features as the company said it will consider all the features and standards on a “case-by-case basis” eventually moving completely to secure contexts.
Exceptions to requiring secure contexts
There is room for exceptions, provided justification is given to the dev.platform mailing list. This can either be inside the “Intent to Implement/Ship” email or a separate dedicated thread. It is up to Mozilla’s Distinguished Engineers to judge the outcome of that thread and ensure the dev.platform mailing list is notified. Expect to be granted an exception if:
- other browsers already ship the feature insecurely
- it can be demonstrated that requiring secure contexts results in undue implementation complexity.
The company’s decision follows a similar strategy from Google that has moved on to secure contexts with its Chrome browser. Mozilla also launched its Let’s Encrypt project pushing the web traffic to HTTPS. The company announced last year that nearly 65% of web pages loaded by Firefox used HTTPS. In contrast only 45% used the secure connection at the end of 2016.