User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0

Steps to reproduce:

Functions window.crypto.subtle.importKey ( ), deriveKey ( ), decrypt ( ), encrypt ( ) are enabled on pages using the HTTP protocol.
That will say that a "Man-in-the-middle" attack can be used to discover passwords or encrypted data.

On all others browsers window.crypto.subtle functions are disabled when using HTTP protocol.

Notice: I don't have performed tests on others crypto.subtle functions, but i suppose that it's the same problem.

Actual results:

window.crypto.subtle functions are working on http pages

Expected results:

window.crypto.subtle functions must be disabled on http pages

Looking at bug 1333140, it seems like this is probably intentional, but it is an area where we are not matching the spec, so I'm not sure it is a security issue per se, though as you mention it means a crypto method can be used on an insecure page.

I don't believe this is a security problem per se, either. These functions are not given access to any data encrypted by the browser itself. They are [SecureContext] so insecure pages won't pretend to be doing secure crypto (which they can't because they can be MITMed).

I suspect we should just open it up and dup it to bug 1333140, which we should actually land.

That said, I assume JC or Dana should make the call on this one, but looks like Dana currently has needinfo requests blocked.

Oh, and this has nothing to do with PSM...

Yeah, looks like bug 1333140.