Camera & microphone require https in Firefox 68.
As of Firefox 68—releasing next week—camera and microphone will require an
https connection to work. Access from insecure
http will cease to work, matching how Chrome works. Camera and microhone are powerful features, and Firefox will now only expose them in secure contexts, a security and privacy improvement.
Largely an issue for developers to catch up on, this may nonetheless affect end users who follow old
http links to servers that either still don’t redirect their users to
https automatically, or don’t support it at all. If you’re experiencing this problem, click your URL bar, and if the URL starts with
http, try changing it to
https, and it should work again, provided the server supports https.
The rest of this blog post is for web developers, since there are some details that may be of interest to them. Firefox is deprecating camera and microphone access in insecure contexts in two steps:
Firefox 68 behavior
In Firefox 68,
getUserMedia will still be there, but the promise returned from it will always be rejected with
enumerateDevices will continue to work until Firefox 69. This matches how Chrome has worked for a good while (pre Chrome 74), and should be highly web compatible. It is an intermediate stepping stone to Firefox 69.
Firefox 69 behavior
In Firefox 69, both
enumerateDevices will throw
TypeError. This matches how Chrome 74+ and the the spec now work.
It is worth pointing out that this
TypeError exception will come from the absence of the
navigator.mediaDevices object in insecure contexts—or, if callbacks are used, the absence of the deprecated
navigator.mediaDevices.getUserMedia() will get an immediate exception thrown instead of merely having its promise rejected. Compared to Firefox 68, this might affect surrounding code, hence the two-step process.
How SecureContext improves things
Some good news for web developers is that camera and microphone will continue to work from
http://localhost! This is thanks to the modern definition of secure context, which defines local sources as secure. It also fixes other edge cases, like an
https iframe in an
http page is now considered insecure. It also cleans up camera and microphone access from embedded JS using
srcdoc (works) and
data: URLs (no longer works).