Features restricted to secure contexts

This reference lists the web platform features available only in secure contexts — see Secure Contexts for a definition and more details.

Current features available only in secure contexts

This section lists all the APIs available only in secure contexts, along with browser versions the limitation was introduced in, as appropriate.

Note: Only the browsers that actually support secure contexts are listed in this document. See here for information on secure contexts support.

API Chrome/Opera Edge Safari Firefox
Application Cache (Yes) ? ? 60, Nightly/Beta
Geolocation 47 / (Yes) No restriction; works in secure/non-secure contexts. (Yes) 55
Payment Request API (and Basic Card Payment). (Yes) (Yes) No support Currently not suported; being developed behind the dom.payments.request.enabled pref.
Service workers (Yes) (Yes) (Yes) (Yes)
Storage API (Yes) (Yes) No support (Yes)
Web Bluetooth (Yes) No support No support No support
Web MIDI (see MIDIAccess, for example) (Yes) No support No support No support

Secure context restrictions that vary by browser

Some browsers may decide to disable certain APIs in non-secure contexts or apply other restrictions/security measures, despite the spec not requiring them. This section lists any such differences existing in browsers.

API Chrome Edge Safari Firefox
Device motion / orientation Deprecation warning      
Encrypted Media Extensions Deprecation warning     Planned.
getUserMedia() Disabled in non-secure contexts in Chrome 47+     Temporary access available only (users cannot choose "Remember this decision" in the permission request dialog).
Notifications Disabled in non secure contexts in Chrome 62      
ping attribute   Disabled in non-secure contexts    
Presentation Deprecation warning in 61      
Web Crypto API is restricted to HTTPS however predates the Secure Context check.    

Planned.

Application Cache Public support for removal    

Planned 62.

Note: Safari and Chrome don't support the full secure contexts specification so APIs may work when using HTTPS iframes inside an HTTP page or pages that have an 'opener context' with an insecure page (this happens when an HTTP page uses Window.open() or the target attribute with a value of _blank).

Future features that will be available only in secure contexts

See also

Document Tags and Contributors

Contributors to this page: cletusw, chrisdavidmills, jonathanKingston, erikadoyle, Annevk
Last updated by: cletusw,