Back
-
Solutions
Back
Digital Trust for:
Enterprise IT, PKI & Identity
Code & Software
Documents & Signing
IoT & Connected Devices
Manage PKI and certificate risk in one place
Modern crypto for evolving
business needs
Secure, update, monitor and control connected devices at scale
DOWNLOAD NOW - Buy
-
Insights
Back
Resources
Explore these pages to discover how TV is helping organizations establish, manage and extend digital trust to solve real-world problems.
Ponemon Institute Report
See what our global post-quantum study uncovered about where the world stands in the race to prepare for quantum computing.
LEARN MORE >
-
Partners
Back
- Support
- Contact us
- Language
Best Practices
01-09-2018
Vincent Lynch
HTTPS-Only Features in Major Browsers
You may not know this little fact: certain browser features require HTTPS to work. Features like getting a user’s location, accessing their microphone, or storing data locally on their device, all require that your website supports HTTPS.
We often talk about the benefits to the user experience and website reputation by adopting HTTPS, but being able to develop a website with modern capabilities may be an even more compelling reason.
There are currently 10 features that require HTTPS in at least one major browser—including HTTP/2 and Brotli compression (both groundbreaking improvements in web technologies)— and plans to restrict three existing features to HTTPS sometime in the future.
We are going to briefly cover the background of HTTPS-only features and then the list of current and future features that require a secure connection.
The Importance of Secure Contexts
Google initially proposed . They realized that websites were starting to offer comparable experiences to native apps with browser features, such as webcam support and the local data storage. This was good news for rich web apps, but it posed a security risk if those features could be tampered with by a man-in-the-middle or other network interference or impersonation.
Imagine a user connects to your site and someone else on the network can piggyback on your access to their webcam or microphone and eavesdrop. Or worse, that network attacker entirely fabricates a request to access their webcam with an HTTP injection.
Since Google’s initial concept, their proposal has evolved into “,” a W3C draft that hopes to become the internet standard for defining secure access to these advanced browser features.
Despite Secure Contexts being drafted, new features and standards have already been designed to require HTTPS from their inception—the biggest being HTTP/2. All major browsers require websites use HTTPS with HTTP/2, meaning you have absolutely no access to the newest version of the internet’s core protocol if you’re still serving unencrypted HTTP.
Other major standards like Brotli, a compression algorithm that offers better performance than gzip, and Google’s AMP, were also designed around HTTPS support.
You’ve likely heard some news recently about web browser initiatives around HTTPS. The increasing number of features, standards, and APIs that require HTTPS is yet another indicator of browsers’ strong interest in spurring adoption and the HTTPS-only future of the internet.
It can be hard to keep track of which features require HTTPS and how that affects specific browsers. This table summarizes all this information—including existing features that are planned to become HTTPS-only. Even if you don’t use these features on your website, this should serve as an eye-opener for just how serious major browsers like Chrome and Firefox are about HTTPS.
When a feature is HTTPS-only in a browser we list the version number with a link to documentation of the change. If a feature is not supported at all, or allowed over HTTP, we note that and any possible plans to restrict that feature in the future. This list will be updated as new announcements are made by browsers.
Secure-Origin-Only Features & Standards
| Feature/Standard: | HTTPSOnlyStarting: | Notes: |
|---|---|---|
| AMP (Accelerated Mobile Pages) | This one is unlike the others— is Google’s open-source standard at serving pages for the mobile web.
Many AMP features, including iframes, video embedding, and serving ads require HTTPS. The full list of AMP components is , where you can check for an HTTPS requirement. |
|
| Bluetooth (Web Bluetooth) | This API is only supported in Chrome | |
| Brotli | Since Introduction | A compression format that offers better performance than gzip. Supported in Chrome 50 and Firefox 44. |
| getUserMedia (Webcam and Microphone) |
Partially supported in Firefox |
Firefox allows getUserMedia over HTTP, but only with one-time permission. This requires the user to give permission on each visit.
In Chrome, the Speech Recognition API, which requires access to the microphone as a prerequisite, also requires HTTPS. |
| Geolocation | ||
| HTTP/2 | While , every major browser ( Chrome, Firefox, Safari, and Edge) require HTTPS for HTTP/2. | |
| EME (Encrypted Media Extensions) | with no announced release date. | |
| Notifications | The Notifications API is allowed in Firefox over HTTP. | |
| Payment Request API (Web Payments) | .
This API is not yet supported in Firefox. |
|
| Service Workers | ||
| Web Crypto | with no announced release date. |
Upcoming Changes
These features and standards are still available over HTTP—for now. Browsers or standards groups (like the W3C or IETF) have expressed interest in requiring HTTPS for these in the future.
| Feature/Standard: | WillRequireHTTPSStarting: | Notes: |
|---|---|---|
| AppCache (Application Cache) | N/A | Chrome has . But note that this API in its entirety is also being abandoned by browsers and replaced by the . |
| Device Motion / Orientation | N/A | . |
| Fullscreen | N/A | The lists fullscreen as a good candidate for HTTPS-only access. |
Featured Stories
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
© 2024 TV. All rights reserved.
Legal Repository Audits & Certifications Terms of Use Privacy Center Accessibility Cookie Settings