Mozilla has started 2018 off with a major announcement: “Effective immediately, all new features that are web-exposed are to be restricted to secure contexts.”
Secure contexts are a group of protocols that a browser can securely communicate to without exposing information or being vulnerable to interception. On the internet, HTTPS is the major secure context. This also includes localhost and file://, which are used by developers and to access content stored locally on devices.
Browsers don’t want their users vulnerable to network interception, such as a man-in-the-middle attack, and have worked to restrict certain features to these secure contexts over the last few years.
Prior to this announcement, every major browser has already locked certain features to secure contexts. The biggest of the bunch being HTTP/2—for which HTTPS has become a de facto requirement. But that’s not all. In Chrome, there are more than 10 features that currently require secure contexts and four in Firefox. We keep an up-to-date list of those features here.
Mozilla originally announced their intentions to phase out HTTP in 2015. And now Mozilla is ready to take the next major step. Mozilla engineer Anne van Kesteren says thanks to advances in the HTTPS ecosystem and years of advocacy by standards groups and browsers, “all the building blocks are now in place to quicken the adoption of HTTPS and secure contexts, and follow through on our intent to deprecate non-secure HTTP.”
While some developers may see this as a disruptive move, there is ample evidence that these initiatives have led to a significant increase in HTTPS adoption. The web has a bright future full of rich features, but only if they can be used safely. We applaud Mozilla for their latest action to get us there.