Closed Bug 1429432 Opened 6 years ago Closed 5 years ago

Consider making Notifications require SecureContext


(Core :: DOM: Notifications, enhancement, P1)




Tracking Status
firefox67 --- fixed


(Reporter: jkt, Assigned: johannh)


(Blocks 1 open bug)


(Keywords: dev-doc-complete, sec-want, site-compat, Whiteboard: [adv-main67-])


(1 file)

Notifications contribute to annoyances in Firefox (Insecure ISP, Cafe wifi could inject these annoyances etc) and also increase HTTPS adoption.

Chrome has already done this in 62. [1]

This should probably live in the DOM component. There's likely a dupe of it already. FWIW, I'm still planning to add telemetry for this soon.
Component: Site Identity and Permission Panels → DOM: Push Notifications
Product: Firefox → Core
If chrome has already done this months ago can't we Just Do It?
Flags: needinfo?(jhofmann)
Keywords: sec-want
(In reply to Daniel Veditz [:dveditz] from comment #2)
> If chrome has already done this months ago can't we Just Do It?

Well, the telemetry mentioned in comment 1 has been added ( and it shows that ~7.4% of permission prompts shown for notifications still come from HTTP websites (quite a lot considering none of them work in Chrome). OTOH the fact that none of them work in Chrome makes me think that most of these sites are pretty spammy and turning this off for them might actually be a service to the user.

I'm not 100% sure who maintains notifications on DOM side nowadays, it might be worth having them weigh in here. Anne, Andrew, do you know?
Flags: needinfo?(overholt)
Flags: needinfo?(jhofmann)
Flags: needinfo?(annevk)
As far as I know they don't really have an active owner.
Flags: needinfo?(annevk)
Anne's correct. I agree with comment 3.
Flags: needinfo?(overholt)
I can look into this once the thing that I'm currently doing is done...
Flags: needinfo?(jhofmann)

It would probably be good to get this done in 67 to reduce the noise in our upcoming permission prompt annoyance experiments...

Assignee: nobody → jhofmann
Flags: needinfo?(jhofmann)
Priority: P2 → P1
Keywords: site-compat
Pushed by
Require Secure Context for Notifications. r=Ehsan
Backout by
Backed out changeset 279a75b5a6d4 for failing at test_notification_insecure_context.html on a CLOSED TREE.

Backed out changeset 279a75b5a6d4 (bug 1429432) for failing at test_notification_insecure_context.html on a CLOSED TREE.

Backout link:

Push with failures:

Log link:

Log snippet:

[task 2019-02-27T00:54:57.212Z] 00:54:57 INFO - TEST-START | dom/notification/test/mochitest/test_notification_insecure_context.html
[task 2019-02-27T00:54:57.304Z] 00:54:57 INFO - GECKO(1430) | ++DOMWINDOW == 37 (0xdd818800) [pid = 1430] [serial = 37] [outer = 0xe1bb7420]
[task 2019-02-27T00:54:57.425Z] 00:54:57 INFO - TEST-INFO | started process screentopng
[task 2019-02-27T00:54:57.926Z] 00:54:57 INFO - TEST-INFO | screentopng: exit 0
[task 2019-02-27T00:54:57.928Z] 00:54:57 INFO - TEST-UNEXPECTED-FAIL | dom/notification/test/mochitest/test_notification_insecure_context.html | Denied permission in insecure context - got "granted", expected "denied"
[task 2019-02-27T00:54:57.930Z] 00:54:57 INFO -
[task 2019-02-27T00:54:57.931Z] 00:54:57 INFO - runTest@dom/notification/test/mochitest/test_notification_insecure_context.html:32:5
[task 2019-02-27T00:54:57.933Z] 00:54:57 INFO - async*@dom/notification/test/mochitest/test_notification_insecure_context.html:43:5
[task 2019-02-27T00:54:57.934Z] 00:54:57 INFO - TEST-PASS | dom/notification/test/mochitest/test_notification_insecure_context.html | Granted permission in insecure context with pref set
[task 2019-02-27T00:54:57.936Z] 00:54:57 INFO - GECKO(1430) | MEMORY STAT | vsize 593MB | residentFast 278MB | heapAllocated 94MB
[task 2019-02-27T00:54:57.938Z] 00:54:57 INFO - TEST-OK | dom/notification/test/mochitest/test_notification_insecure_context.html | took 297ms

Flags: needinfo?(jhofmann)
Flags: needinfo?(jhofmann)
Pushed by
Require Secure Context for Notifications. r=Ehsan
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Note to MDN writers:

I've added a note about this to the Fx67 rel notes:

In terms of docs this needs BCD, secure context labels, notifications api adding to secure context page, and anything else you think is needed (check what the notifications guides say too).

Whiteboard: [adv-main67-]

This change seems to have clobbered WebRTC permission request popups on localhost for FF dev-edition.

Sorry nevermind it was actually this that did it:

It would be nice if there was a way to manually remove the https restriction for specific sites, if nothing else, for web development.

Having to set up an htttp daemon as a reverse proxy + SSL certificate just to be able to develop and test this feature makes it a non-starter.

Actually, there is a dom.webnotifications.allowinsecure option. But that's not ideal.

It would be nice to add a site-specific exception.

Well, you could use GitHub or Glitch or some such, but there's bug 1409841 to see if we should add some kind of setting.

It seems you can add a site-specific workaround:

  1. In about:config set dom.webnotifications.allowinsecure to true
  2. Visit the http site in question, and allow notifications
  3. In about:config set dom.webnotifications.allowinsecure back to fall
You need to log in before you can comment on or make changes to this bug.