Remove AppCache from Insecure Contexts

Per https://w3c.github.io/webappsec-secure-contexts/, we are deprecating and then removing AppCache from insecure contexts. AppCache is a powerful feature that allows offline and persistent access to an origin, which is a powerful privilege escalation for an XSS. This will remove that attack vector by only allowing it over HTTPS.

Comments

Part of the larger effort to remove powerful features on insecure origins: https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins blink-dev discussion and API owner approval: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/UKF8cK0EwMI

Documentation

• https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins

Status in Chromium

In development (launch bug)

Consensus & Standardization

• Firefox: Public support
• Edge: No public signals
• Safari: No public signals
• Web Developers: Mixed signals

Owner

• jww@chromium.org

Last updated on 2016-02-23