← View all posts
July 1, 2019

Camera & microphone require https in Firefox 68.

Contributed by Jan-Ivar Bruaroey,

As of Firefox 68—releasing next week—camera and microphone will require an https connection to work. Access from insecure http will cease to work, matching how Chrome works. Camera and microhone are powerful features, and Firefox will now only expose them in secure contexts, a security and privacy improvement.

Largely an issue for developers to catch up on, this may nonetheless affect end users who follow old http links to servers that either still don’t redirect their users to https automatically, or don’t support it at all. If you’re experiencing this problem, click your URL bar, and if the URL starts with http, try changing it to https, and it should work again, provided the server supports https.

The rest of this blog post is for web developers, since there are some details that may be of interest to them. Firefox is deprecating camera and microphone access in insecure contexts in two steps:

Firefox 68 behavior

In Firefox 68, getUserMedia will still be there, but the promise returned from it will always be rejected with NotAllowedError, while enumerateDevices will continue to work until Firefox 69. This matches how Chrome has worked for a good while (pre Chrome 74), and should be highly web compatible. It is an intermediate stepping stone to Firefox 69.

Firefox 69 behavior

In Firefox 69, both getUserMedia and enumerateDevices will throw TypeError. This matches how Chrome 74+ and the the spec now work.

It is worth pointing out that this TypeError exception will come from the absence of the navigator.mediaDevices object in insecure contexts—or, if callbacks are used, the absence of the deprecated navigator.mozGetUserMedia function. Any JavaScript that doesn’t test for this before invoking navigator.mediaDevices.getUserMedia() will get an immediate exception thrown instead of merely having its promise rejected. Compared to Firefox 68, this might affect surrounding code, hence the two-step process.

How SecureContext improves things

Some good news for web developers is that camera and microphone will continue to work from http://localhost! This is thanks to the modern definition of secure context, which defines local sources as secure. It also fixes other edge cases, like an https iframe in an http page is now considered insecure. It also cleans up camera and microphone access from embedded JS using srcdoc (works) and data: URLs (no longer works).