AppCache on Non-secure Contexts (deprecated)

Per, we are deprecating and then removing AppCache from insecure contexts. AppCache is a powerful feature that allows offline and persistent access to an origin, which is a powerful privilege escalation for an XSS. This will remove that attack vector by only allowing it over HTTPS. This feature is expected to be removed in Chrome 69.


Part of the larger effort to remove powerful features on insecure origins: blink-dev discussion and API owner approval:!topic/blink-dev/UKF8cK0EwMI


Status in Chromium


Deprecated (tracking bug) in:

  • Chrome for desktop release 67
  • Chrome for Android release 67
  • Android WebView release 67
  • Opera release 54
  • Opera for Android release 54

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Public support
  • Mixed public signals
  • No public signals
  • Mixed signals


Last updated on 2018-04-30