Best Practices 01-09-2018

HTTPS-Only Features in Major Browsers

Vincent Lynch

You may not know this little fact: certain browser features require HTTPS to work. Features like getting a user’s location, accessing their microphone, or storing data locally on their device, all require that your website supports HTTPS.

We often talk about the benefits to the user experience and website reputation by adopting HTTPS, but being able to develop a website with modern capabilities may be an even more compelling reason.

There are currently 10 features that require HTTPS in at least one major browser—including HTTP/2 and Brotli compression (both groundbreaking improvements in web technologies)— and plans to restrict three existing features to HTTPS sometime in the future.

We are going to briefly cover the background of HTTPS-only features and then the list of current and future features that require a secure connection.

The Importance of Secure Contexts

Google initially proposed . They realized that websites were starting to offer comparable experiences to native apps with browser features, such as webcam support and the local data storage. This was good news for rich web apps, but it posed a security risk if those features could be tampered with by a man-in-the-middle or other network interference or impersonation.

Imagine a user connects to your site and someone else on the network can piggyback on your access to their webcam or microphone and eavesdrop. Or worse, that network attacker entirely fabricates a request to access their webcam with an HTTP injection.

Since Google’s initial concept, their proposal has evolved into “,” a W3C draft that hopes to become the internet standard for defining secure access to these advanced browser features.

Despite Secure Contexts being drafted, new features and standards have already been designed to require HTTPS from their inception—the biggest being HTTP/2. All major browsers require websites use HTTPS with HTTP/2, meaning you have absolutely no access to the newest version of the internet’s core protocol if you’re still serving unencrypted HTTP.

Other major standards like Brotli, a compression algorithm that offers better performance than gzip, and Google’s AMP, were also designed around HTTPS support.

You’ve likely heard some news recently about web browser initiatives around HTTPS. The increasing number of features, standards, and APIs that require HTTPS is yet another indicator of browsers’ strong interest in spurring adoption and the HTTPS-only future of the internet.

It can be hard to keep track of which features require HTTPS and how that affects specific browsers. This table summarizes all this information—including existing features that are planned to become HTTPS-only. Even if you don’t use these features on your website, this should serve as an eye-opener for just how serious major browsers like Chrome and Firefox are about HTTPS.

When a feature is HTTPS-only in a browser we list the version number with a link to documentation of the change. If a feature is not supported at all, or allowed over HTTP, we note that and any possible plans to restrict that feature in the future. This list will be updated as new announcements are made by browsers.

Secure-Origin-Only Features & Standards

Feature/Standard: HTTPSOnlyStarting: Notes:
AMP (Accelerated Mobile Pages) This one is unlike the others— is Google’s open-source standard at serving pages for the mobile web.
Many AMP features, including iframes, video embedding, and serving ads require HTTPS. The full list of AMP components is , where you can check for an HTTPS requirement.
Bluetooth (Web Bluetooth) This API is only supported in Chrome
Brotli Since Introduction A compression format that offers better performance than gzip. Supported in Chrome 50 and Firefox 44.
getUserMedia (Webcam and Microphone)

Partially supported in Firefox

Firefox allows getUserMedia over HTTP, but only with one-time permission. This requires the user to give permission on each visit.
In Chrome, the Speech Recognition API, which requires access to the microphone as a prerequisite, also requires HTTPS.
Geolocation
HTTP/2 While , every major browser ( Chrome, Firefox, Safari, and Edge) require HTTPS for HTTP/2.
EME (Encrypted Media Extensions) with no announced release date.
Notifications The Notifications API is allowed in Firefox over HTTP.
Payment Request API (Web Payments) .
This API is not yet supported in Firefox.
Service Workers
Web Crypto with no announced release date.

Upcoming Changes

These features and standards are still available over HTTP—for now. Browsers or standards groups (like the W3C or IETF) have expressed interest in requiring HTTPS for these in the future.

Feature/Standard: WillRequireHTTPSStarting: Notes:
AppCache (Application Cache) N/A Chrome has . But note that this API in its entirety is also being abandoned by browsers and replaced by the .
Device Motion / Orientation N/A .
Fullscreen N/A The lists fullscreen as a good candidate for HTTPS-only access.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-11-2024

FIPS 140-3 certification unlocked for TrustCore SDK

10-31-2024

Announcing the GA release of Device Trust Manager