Features restricted to secure contexts

This reference lists the web platform features available only in secure contexts — see Secure Contexts for a definition and more details.

Current features available only in secure contexts

This section lists all the APIs available only in secure contexts, along with browser versions the limitation was introduced in, as appropriate.

Note: Only the browsers that actually support secure contexts are listed in this document. See here for information on secure contexts support.

API Chrome/Opera Edge Safari Firefox
Service Workers 40 17 11.1 44
Push API 42 17 Not supported 44
Payment Request API (and Basic Card Payment). 61 15 11.1 In development (behind the dom.payments.request.enabled pref).
Credential Management API 51 Not supported Not supported Not supported
Web Authentication API 65 In preview (17) In development 60
Storage API 55 Not supported Not supported 51
Async Clipboard API 66 Not supported Not supported 63
Background Sync (see SyncManager, for example) 49 Not supported Not supported Not supported
Web Bluetooth 56 Not supported Not supported Not supported
Web MIDI (see MIDIAccess, for example) 43 Not supported Not supported Not supported
Generic Sensor API 67 Not supported Not supported Not supported
Reporting API Supported Not supported Not supported Behind flag since Fx 65
Cache-Control: immutable Not supported 15 11 49

Secure context restrictions that vary by browser

Some browsers may decide to disable certain APIs in non-secure contexts or apply other restrictions/security measures, despite the spec not requiring them. This section lists any such differences existing in browsers.

API Chrome Edge Safari Firefox
Application Cache Restricted to secure contexts planned in Chrome 70 deprecation planning started in February 2018 public interest on deprecation WebKit bug 182442 Restricted to secure contexts in Firefox 62
Geolocation Restricted to secure contexts in 50 Restricted to secure contexts in 10 Restricted to secure contexts in 55
Device Orientaion / Device Motion Deprecation warning Deprecation warnings since 60. Note that these apply to secure contexts as well.
Encrypted Media Extensions Restricted to secure contexts in 58 Planned.
getUserMedia() Restricted to secure contexts in Chrome 47 Temporary access available only (users cannot choose "Remember this decision" in the permission request dialog).

Restricted to secure contexts in Firefox 68.
Notifications Restricted to secure contexts in Chrome 62 Restricted to secure contexts in Firefox 67.
<a ping> attribute Disabled in non-secure contexts Support has been added since Firefox 3, but never been enabled by default (behind the browser.send_pings pref).
Presentation Deprecation warning in 61
Web Crypto API has been restricted to HTTPS since early days (API was visible in HTTP as well but operations failed). Restricted to secure contexts in Chrome 60 (API is no longer visible on non-secure contexts). Planned.
registerProtocolHandler() Restricted to secure contexts in Firefox 62.

Note: Safari and Chrome don't support the full secure contexts specification so APIs may work when using HTTPS iframes inside an HTTP page or pages that have an 'opener context' with an insecure page (this happens when an HTTP page uses Window.open() or the target attribute with a value of _blank).

See also