Mozilla plans to phase out non-secure HTTP, meaning that new features will be allowed only on HTTPS websites. In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

Richard Barnes, Firefox Security Lead, said that Mozilla will start removing capabilities from the non-secure web. According to the plan, Mozilla will first
set a date after which all new features will be available only to secure websites, and then it will gradually phase out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

"For example, one definition of 'new' could be 'features that cannot be polyfilled'," Barnes said.

"That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (eg, using <canvas>). But it would still restrict qualitatively new features, such as access to new hardware capabilities."

Removing features from the non-secure web will likely cause some sites to break.
"So we will have to monitor the degree of breakage and balance it with the security benefit, Barnes added.

For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website. There have also been some proposals to limit the scope of non-secure cookies.