Do not expose API in non-secure context

[dlongley]

Since CHAPI is not meant to be available in a non-secure context, the polyfill should not install on non-HTTPS sites. Currently, the browser will eventually block its functionality but it should be blocked immediately and throw a SecurityError error if a developer tries to use it on a non-secure site.

[dmitrizagidulin]

Is the idea here that the polyfill should check the current window URL, and make sure it's https?

[dlongley]

Is the idea here that the polyfill should check the current window URL, and make sure it's https?

Yes. When loading the polyfill, if the window location doesn't use https then the software should throw a DOM SecurityError indicating that the polyfill can only be loaded in a secure context (e.g., 'https').

[llorllale]

Use window.isSecureContext: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts.

I'm not sure we can rely on simply checking the location's url scheme.

[dlongley]

This looks pretty green: https://caniuse.com/#search=isSecureContext

We should use it but if it's not present (e.g., IE11), we should fall back to using https.