Remove AppCache from Insecure Contexts

Per, we are deprecating and then removing AppCache from insecure contexts. AppCache is a powerful feature that allows offline and persistent access to an origin, which is a powerful privilege escalation for an XSS. This will remove that attack vector by only allowing it over HTTPS.


Part of the larger effort to remove powerful features on insecure origins: blink-dev discussion and API owner approval:!topic/blink-dev/UKF8cK0EwMI


Status in Chromium


In development (tracking bug)

Consensus & Standardization

  • Public support
  • Mixed public signals
  • No public signals
  • Mixed signals


Last updated on 2017-09-20