View Single Post


Old
  Post #1 (permalink)   01-20-2018, 03:30 PM
easyhostmedia
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,618
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
All web-exposed features on Firefox must be served on HTTPS/TLS from now on
HTTPS is not just for websites, despite the fact that this is a common misconception. Granted, securing the connection between a website and a browser is the main job of HTTPS. But, there are certain ‘features’ that we use on websites that enhance our experience. These features include familiar names such as HTTP/2, Geolocation, Payment Request API, etc.

Until now, some of these features needed to be Secure Contexts (HTTPS-only). From now on, this is going to change. “Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” Anne van Kesteren wrote on the Mozilla blog yesterday.

Further explaining the “web-exposed” features falling under the umbrella of secure contexts he writes,

“Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR. In contrast, a new CSS color keyword would likely not be restricted to secure contexts.”

What are Secure Contexts?
As a result of a continuous push to encrypt the internet, we’re witnessing a remarkable migration to HTTPS. Undoubtedly, it’s a good thing. However, just a Green Padlock isn’t enough. Encrypting entire contexts is highly desirable, and that’s what ‘secure contexts’ is intended for.

Mozilla defines it as a Window or Worker for which:

“…there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are not secure is limited.”

Let’s make this clearer with an example. Suppose you have a website named https://example.com and you have managed to orchestrate an awesome report highlighting the difference between a cat person and a dog person. But this document opens up in a new window that isn’t TLS delivered (without specifying noopener). This website is considered to be an ‘insecure context.’

To put it simply, all the pages – including the parent and opener pages – must be delivered securely to be termed as ‘secure contexts.’

Why Secure Contexts?
Modern-day websites aren’t just meant for web-surfing purposes—they do much more than that. Whether it’s facilitating communication through a microphone, deriving a user’s location (with permission of course), or detecting the motion of a device—these features are becoming a common thing as far as websites are concerned.

These features utilize sensitive data and thus pose a significant risk as far the privacy and credibility of data are concerned. If data is not secured through HTTPS, a hacker/attacker could eavesdrop or tamper with the data using a ‘man-in-the-middle’ attack.

Google announced these same changes to its browser, Chrome, in July of last year.

Current List of Secure Contexts-only Features in Major Browsers
For your reference, here’s a list of features restricted to secure context:

https://developer.mozilla.org/en-US/...ecure_contexts

Additional Resources
Permission.site is a webpage that allows you to test a variety of powerful and permission-gated features over HTTP and HTTPS.

taken from https://www.thesslstore.com/blog/fir...-new-features/
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers

Last edited by easyhostmedia : 01-20-2018 at 03:33 PM.
 
 
 
The Following User Says Thank You to easyhostmedia For This Useful Post:
Artashes (01-21-2018)