Web Browser Secure Contexts

February 14, 2017 #webdev #security

HTTPS - it isn’t just for breakfast authentication anymore.

Yeah, I stole that from a Florida Orange Juice 1979 TV commercial.

Florida Orange Juice

So, what are Secure Contexts anyway? Secure Contexts - Web security | MDN provides full info, but some key points:

  • A context will be considered secure when it’s delivered securely or locally.
  • Secure contexts allow the browser to expose APIs that should only be permitted when transferred securely to the user.

Some APIs (Service Workers, Web Bluetooth, Encrypted Media Extensions) require secure contexts per specification, while other APIs (getUserMedia, Geolocation, etc) have been disabled in non-secure contexts due to browser vendor decisions (see Prefer Secure Origins For Powerful New Features - The Chromium Projects).

That means for some browser features even to work, you need to have full session HTTPS.  Lots of web applications do this today and have been doing so for years.  I’m personally proud that WestlawNext launched this way, starting with our User Acceptance Testing (UAT) pre-release environment in 2009.  That predates both Gmail (Official Gmail Blog: Default https access for Gmail ) and Google Search (Official Google Blog: Search more securely with encrypted Google web search).

Kevin Hakanson

Multi-Cloud Certified Architect | DevSecOps | AppSec | Web Platform | Speaker | Learner | Builder
Twitter | LinkedIn | GitHub | Stack Overflow | Credly

© 2024 Kevin Hakanson (built with Gatsby)