AppCache is now removed from insecure contexts. AppCache is a powerful feature that allows offline and persistent access to an origin, which is a powerful privilege escalation for an XSS. This will remove that attack vector by only allowing it over HTTPS. This feature was deprecated in Chrome 67.

Documentation

• https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins
• https://w3c.github.io/webappsec-secure-contexts/

Status in Chromium

Blink components: Blink

Implementation status: Removed (tracking bug)

Consensus & Standardization

• Firefox: Positive
• Safari: No signal
• Web Developers: Mixed signals

Owner

• jww@chromium.org

Comments

Part of the larger effort to remove powerful features on insecure origins: https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins blink-dev discussion and API owner approval: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/UKF8cK0EwMI

Search tags

Last updated on 2021-12-21