AppCache is now removed from insecure contexts. AppCache is a powerful feature that allows offline and persistent access to an origin, which is a powerful privilege escalation for an XSS. This will remove that attack vector by only allowing it over HTTPS. This feature was deprecated in Chrome 67.

Documentation

Status in Chromium

Blink


Removed (tracking bug) in:

  • Chrome for desktop release 70
  • Chrome for Android release 70
  • Android WebView release 70

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Positive
  • No signal
  • No signal
  • Mixed signals

Owner

Comments

Part of the larger effort to remove powerful features on insecure origins: https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins blink-dev discussion and API owner approval: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/UKF8cK0EwMI

Search tags

Security, OWP, AppCache,

Last updated on 2020-11-30