A browser will enter into a secure context when it has met its minimum requirements of being secure. Secure contexts allow the browser to expose APIs that should only be permitted when transferred securely to the user.
Why should some features be restricted?
Some APIs on the web are very powerful giving an attacker the ability to do the following and more:
- Invade a user's privacy.
- Get low level access to a user's computer.
- Get access to data like user credentials.
When is a context considered secure?
A context will be considered secure when it's delivered securely or locally. A context that isn't top-level browser context (a page that isn't framed in any way) must have only secure context parents.
Locally delivered files such as https://localhost and file:// paths are considered secure.
Contexts that are not local must be served over https:// or wss:// and where the protocols used should not be considered deprecated.
Feature detection
Pages can use feature detection to check whether they are in a secure context or not by using the isSecureContext boolean which is exposed on the global scope.
if (window.isSecureContext) {
// Page is a secure context so service workers are now available
navigator.serviceWorker.register("/offline-worker.js").then(function () {
...
});
}
What APIs require secure contexts?
Draft proposals
- https://w3c.github.io/sensors/
- https://w3c.github.io/webappsec-credential-management/
- https://w3c.github.io/geofencing-api/
- https://w3c.github.io/web-nfc/releases/20150925/
Browsers
Some browsers may decide to opt for certain APIs into being secure context only such as Chrome issues deprecation warnings when not in a secure context for the following:
- Device motion / orientation
- EME
- Fullscreen
- Geolocation - Removed for non secure contexts in Chrome 50
- getUserMedia() - Removed from non secure contexts in Chrome 47
- Web Cryptography API in Chrome is restricted to HTTPS however predates the Secure Context check.
Specifications
| Specification | Status | Comment |
| Secure Contexts | Working Draft | Editor’s Draft |
Browser compatibility
| Feature | Chrome | Firefox (Gecko) | Internet Explorer | Opera | Safari (WebKit) |
|---|---|---|---|---|---|
| Basic support | (Yes) | 49 (49) | ? | ? | ? |
| Feature | Android | Android Webview | Firefox Mobile (Gecko) | IE Mobile | Opera Mobile | Safari Mobile | Chrome for Android |
|---|---|---|---|---|---|---|---|
| Basic support | No support | (Yes) | 49.0 (49) | ? | ? | ? | (Yes) |