HTTPS - it isn’t just for
Yeah, I stole that from a Florida Orange Juice 1979 TV commercial.
- A context will be considered secure when it’s delivered securely or locally.
- Secure contexts allow the browser to expose APIs that should only be permitted when transferred securely to the user.
Some APIs (Service Workers, Web Bluetooth, Encrypted Media Extensions) require secure contexts per specification, while other APIs (getUserMedia, Geolocation, etc) have been disabled in non-secure contexts due to browser vendor decisions (see Prefer Secure Origins For Powerful New Features - The Chromium Projects).
That means for some browser features even to work, you need to have full session HTTPS. Lots of web applications do this today and have been doing so for years. I’m personally proud that WestlawNext launched this way, starting with our User Acceptance Testing (UAT) pre-release environment in 2009. That predates both Gmail (Official Gmail Blog: Default https access for Gmail ) and Google Search (Official Google Blog: Search more securely with encrypted Google web search).