MCe
Allowing unsafe HTTP

Preamble:

This document has been simplified about every year or so since 2015.

Essentially, back in 2015 it was reasonable but not recommended to run in HTTP so we set things up so you could run in HTTPS, but most people ran in HTTP.

In late 2016/early 2017, Chrome and then other browsers started taking critical features away from HTTP and only allowing them in HTTPS.

By 2018 it was really impractical to run with HTTP except under very special circumstances.

By 2019 it was impossible for a real app to run in HTTP, you have to have HTTPS.

This document used to have long details about when and how you could use HTTP. But those 'cheats' became more and more impossible until, quite frankly, we have no idea how to cheat anymore – and the user experience would be so terrible it makes no sense to try.

Overview:

In 2015 Chrome was warning that soon they would be taking features away, one or two per version, from HTTP.

As of late 2015 we have fully supported MC and MCe in HTTPS because HTTPS means that we have ZERO data corruption sending data between the server and the client, and because for servers on the internet it provided more security.

Somewhere along the way we started encouraging everyone to use HTTPS.

As of January 2017, due to browser support being removed, we stopped officially supporting HTTP for MCe or MCxLE.

This means that, if there are problems due to HTTP, then support is billed by the hour. It doesn't mean we will hang up the phone or ignore your emails!

Browsers are getting more and more aggressive about complaining about HTTP. As 'this' document is being updated in September 2017, Chrome is promising that all pages with any entry fields will start to get scary warnings in October 2017 and more and more features will disappear from HTTP in the coming months and years:

Official reference: https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html

Since 2017 to 2021, other browsers continue to follow Chrome's example of removing features when you don't have HTTPS (as they have in the past) usually a few days to a few weeks after Chrome, and as of 2020 to late 2021, Chrome and by extension the other browsers, after taking a COVID-19 break for several months in 2020, and are promising to continue to take away more features in coming releases.

More features are being removed from 'insecure' HTTP every few months by the browsers, with Chrome being at the front of the removals.

We have documented a lot more in a manual that discusses why HTTPS, so I won't repeat it here.

As of October 2018 Chrome removed the support that allowed you to 'cheat' and use HTTP.