All “Secure Contexts” Only Features In Chrome

  • Monday, 17th July, 2017
  • 17:38pm

 

Complete List of HTTPS-Only Features in Chrome

In order to keep users secure, Chrome has restricted a number of features to “secure origins” only. On the web, this usually means the feature is only available if your website uses HTTPS.

This is part of an initiative by google known as “Deprecating Powerful Features on Insecure Origins.” In plain language this means that browser features which access your device (e.g. local storage, microphone) or sensitive user data can only be used with a secure connection.

This applies to both existing features/APIs and new ones. Some features, such as the Google-championed Service Worker API were designed with the expectation that they can only be used securely.

“Secure origins” or “secure contexts” include a variety of schemes and hosts. The most popular of these would be HTTPS and localhost. All secure origins are defined here by Google. There is also a W3C candidate specification defining secure context for those that like to read internet standards.

For many of these features a specific removal date/version has not been given. This is because Chrome’s developers look at real-world use of these features and may decide to delay removal until developers are ready. In general, they like to wait until insecure use of a feature drops below 0.03% of all page loads before removing a feature’s ability to work on insecure origins.

Keeping track of the details can be a bit difficult, so we put together a list of features already restricted to secure origins and which ones are on the chopping block.

Powerful Features? What are they?

What makes a feature powerful?

According to Google’s definition it is any feature which “handle personally-identifiable information… handle high-value information like credentials or payment instruments…[or] provide the origin with control over the UA’s trustworthy/native UI, access to sensors on the user’s device, or generally any feature that we would provide a user-settable permission or privilege to.”

In a Wired interview from last year, one of Chrome’s security leads explained that in order “to compete with mobile apps,” Google wants “wants web pages to be able to reach deeper into your computer’s resources, accessing the same sensitive infor­mation, like location and offline data, that apps routinely use. But if the web’s tendrils are going to extend further into our private lives, they first need to be secure.” That involves a number of initiatives to make Chrome safer, and securing powerful features is one of them.

Note that the below list of powerful features will grow over time. Any feature which would require the user to grant permission is a good candidate for a powerful feature.

Google Permissions Warning

Check back with this document as it will be updated as Google releases new information. Please leave a comment if you have any questions on features you may be concerned about or need clarity on.

<< Geri