Best Practices 01-09-2018

HTTPS-Only Features in Major Browsers

Vincent Lynch

You may not know this little fact: certain browser features require HTTPS to work. Features like getting a user’s location, accessing their microphone, or storing data locally on their device, all require that your website supports HTTPS.

We often talk about the benefits to the user experience and website reputation by adopting HTTPS, but being able to develop a website with modern capabilities may be an even more compelling reason.

There are currently 10 features that require HTTPS in at least one major browser—including HTTP/2 and Brotli compression (both groundbreaking improvements in web technologies)— and plans to restrict three existing features to HTTPS sometime in the future.

We are going to briefly cover the background of HTTPS-only features and then the list of current and future features that require a secure connection.

The Importance of Secure Contexts

Google initially proposed restricting certain features to HTTPS in 2014. They realized that websites were starting to offer comparable experiences to native apps with browser features, such as webcam support and the local data storage. This was good news for rich web apps, but it posed a security risk if those features could be tampered with by a man-in-the-middle or other network interference or impersonation.

Imagine a user connects to your site and someone else on the network can piggyback on your access to their webcam or microphone and eavesdrop. Or worse, that network attacker entirely fabricates a request to access their webcam with an HTTP injection.

Since Google’s initial concept, their proposal has evolved into “Secure Contexts,” a W3C draft that hopes to become the internet standard for defining secure access to these advanced browser features.

Despite Secure Contexts being drafted, new features and standards have already been designed to require HTTPS from their inception—the biggest being HTTP/2. All major browsers require websites use HTTPS with HTTP/2, meaning you have absolutely no access to the newest version of the internet’s core protocol if you’re still serving unencrypted HTTP.

Other major standards like Brotli, a compression algorithm that offers better performance than gzip, and Google’s AMP, were also designed around HTTPS support.

You’ve likely heard some news recently about web browser initiatives around HTTPS. The increasing number of features, standards, and APIs that require HTTPS is yet another indicator of browsers’ strong interest in spurring adoption and the HTTPS-only future of the internet.

It can be hard to keep track of which features require HTTPS and how that affects specific browsers. This table summarizes all this information—including existing features that are planned to become HTTPS-only. Even if you don’t use these features on your website, this should serve as an eye-opener for just how serious major browsers like Chrome and Firefox are about HTTPS.

When a feature is HTTPS-only in a browser we list the version number with a link to documentation of the change. If a feature is not supported at all, or allowed over HTTP, we note that and any possible plans to restrict that feature in the future. This list will be updated as new announcements are made by browsers.

Secure-Origin-Only Features & Standards

Feature/Standard: HTTPS Only Starting: Notes:
AMP (Accelerated Mobile Pages) Some features, since introduction This one is unlike the others—AMP is Google’s open-source standard at serving pages for the mobile web.
Many AMP features, including iframes, video embedding, and serving ads require HTTPS. The full list of AMP components is available here, where you can check for an HTTPS requirement.
Bluetooth (Web Bluetooth) Since Introduction This API is only supported in Chrome
Brotli Since Introduction A compression format that offers better performance than gzip. Supported in Chrome 50 and Firefox 44.
getUserMedia (Webcam and Microphone) Chrome 47

Partially supported in Firefox

Firefox allows getUserMedia over HTTP, but only with one-time permission. This requires the user to give permission on each visit.
In Chrome, the Speech Recognition API, which requires access to the microphone as a prerequisite, also requires HTTPS.
Geolocation Chrome 50 Firefox 55
HTTP/2 Since Introduction While not explicitly required in the HTTP/2 standard, every major browser ( Chrome, Firefox, Safari, and Edge) require HTTPS for HTTP/2.
EME (Encrypted Media Extensions) Chrome 58 Planned in Firefox with no announced release date.
Notifications Chrome 62 The Notifications API is allowed in Firefox over HTTP.
Payment Request API (Web Payments) Since Introduction Google Developer’s introduction to Web Payments.
This API is not yet supported in Firefox.
Service Workers Since Introduction
Web Crypto Chrome 60 Planned in Firefox with no announced release date.

Upcoming Changes

These features and standards are still available over HTTP—for now. Browsers or standards groups (like the W3C or IETF) have expressed interest in requiring HTTPS for these in the future.

Feature/Standard: Will Require HTTPS Starting: Notes:
AppCache (Application Cache) N/A Chrome has deprecated the AppCache API over HTTP since Version 52. But note that this API in its entirety is also being abandoned by browsers and replaced by the Cache API.
Device Motion / Orientation N/A Announced on Chromium’s Security page.
Fullscreen N/A The Secure Contexts draft lists fullscreen as a good candidate for HTTPS-only access.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

Why Matter needs to toughen up

National Cybersecurity Awareness Month:
October 2024