Mozilla this week decreed that future web-facing features of Firefox must meet an under-development standard that requires all browser-to-server-and-b
Mozilla this week decreed that future web-facing features of Firefox must meet an under-development standard that requires all browser-to-server-and-back traffic be encrypted.
“Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” wrote Mozilla engineer Anne van Kesteren in a post to a company blog. “A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.”
Secure contexts, dubbed a “minimum security level,” is a pending standard of the W3 (World Wide Web Consortium), the primary standards body for the web. Secure contexts’ main purpose, according to its documentation: “Application code with access to sensitive or private data be delivered confidentially over authenticated channels that guarantee data integrity.”
In practice, that means traffic must be encrypted to prevent “man-in-the-middle” attacks in which hackers siphon insecure browser-server traffic by getting between the two and listening.
Henceforth, any newly-introduced Firefox feature that relies on browser-to-server communication will work only across HTTPS connections. Older features and/or technologies will continue to operate across unencrypted HTTP links on a “case-by-case basis,” said van Kesteren. He also pledged that Mozilla would provide developer tools to “ease the transition to secure contexts.”
The move isn’t out of the blue: Mozilla first announced intentions to require HTTPS in April 2015. The first item of business then was “setting a date after which all new features will be available only to secure websites,” which this week’s missive scratched off the to-do list. Nor was Mozilla flying solo on the tactic, as others, notably Google, have been pressuring sites to convert from HTTP to HTTPS since 2014.
(Mozilla has been in that hunt as well with its sponsorship of the Let’s Encrypt project, which provides free certificates to secure sites. By Mozilla’s tally, 66% of all Firefox-loaded pages were encrypted this month.)
The next opportunity for Firefox to introduce a new feature or technology that would be immediately affected by its announcement will be Jan. 23, when version 58 is to ship.