In the wake of Sniffly, it seems pretty reasonable to prevent folks from locking themselves into insecurity. To that end, Insecure schemes in source expressions now match their secure variants. That is, `http:` is equivalent to `http: https:`, and `` to ``.


Editor's draft

Status in Chromium


Enabled by default (tracking bug) in:

  • Chrome for desktop release 49
  • Chrome for Android release 49
  • Android WebView release 49

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Shipped/Shipping
  • No signal
  • No signal
  • No signals


Last updated on 2020-11-09