GitLab

Next Generation Hidden Services provide vastly improved protection against brute-force attacks than even many TLS certificates. Currently, hidden services can only utilize browser APIs which require secure context https://www.w3.org/TR/secure-contexts/ if they are provided over HTTPS.

The CA/Browser forum has allowed for Extended Validation HTTPS certificates to be issued for .onion addresses https://cabforum.org/2015/02/18/ballot-144-validation-rules-dot-onion-names/, but this both a) requires deanonymization of the HS to comply with the EV requirements, and b) is often prohibitively expensive.

Explicitly allowing browser APIs for onion addresses which are only allowed in secure contexts, even if they are not provided over HTTPS, would fix this. It's important to note that the APIs which are allowed only in secure contexts have this restriction often because they are releasing personally identifiable information about the end user (such as location), but this is not necessarily the case. This obviously does not supersede the scrutiny individually applied to the various APIs wrt their privacy implications, which is quite a separate consideration.