Intent to Ship: WebRequest.SecurityInfo in Controlled Frame

80 views
Skip to first unread message

Chromestatus

unread,
Dec 9, 2025, 7:18:29 AM (9 days ago) Dec 9
to blin...@chromium.org, vk...@google.com
Contact emails
vk...@google.com

Explainer
https://github.com/explainers-by-googlers/security-info-web-request

Specification
https://github.com/WICG/controlled-frame/pull/151

Design docs

https://github.com/explainers-by-googlers/security-info-web-request

Summary
This proposal introduces a WebRequest.SecurityInfo API for ControlledFrame. It allows a web app to intercept an HTTPS, WSS or WebTransport request to a server, retrieve the server's certificate fingerprint (as verified by the browser), and then use that fingerprint to manually verify the certificate of a separate raw TCP/UDP connection to the same server. This provides a simple way for the app to confirm it's talking to the correct server.

Blink component
Blink

Web Feature ID
Missing feature

Motivation
Web apps sometimes need to establish secure raw TCP/UDP connections (e.g., via Direct Sockets) for custom protocols, often to support legacy servers that cannot be updated to modern alternatives like WebTransport. Unlike standard HTTPS, these raw sockets don't have a built-in mechanism to verify the server's TLS certificate against a trusted root store. This proposal introduces a WebRequest SecurityInfo API for ControlledFrame. It allows a web app to intercept an HTTPS, WSS or WebTransport request to a server, retrieve the server's certificate fingerprint (as verified by the browser), and then use that fingerprint to manually verify the certificate of a separate raw TCP/UDP connection to the same server. This provides a simple way for the app to confirm it's talking to the correct server.

Initial public proposal
https://github.com/WICG/proposals/issues/245

TAG review
Tag does not review Isolated Web Apps. It was stated publicly here https://github.com/w3ctag/design-reviews/issues/842#issuecomment-2917031448

TAG review status
Pending

Risks


Interoperability and Compatibility
Other browsers may choose to implement this API.

Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

Security
This API exposes the server's leaf certificate and fingerprint to the web app. This is not considered a new security or privacy risk. A web app with Isolated Context and the direct-sockets permission can already open a raw TCP connection to any server, perform a (D)TLS handshake using a WASM library, and retrieve the exact same server certificate.

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No information provided


Debuggability
There's no devTools support for this feature. Since, this feature itself does not modify any web requests, it gives read-only view into server certificate.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
This feature is implemented on desktop platforms, although it will only be available to the end users on platforms that support Isolated Web Apps, which is currently only ChromeOS. Android is excluded for historical reasons, although there are no apparent interoperability blockers here.

Is this feature fully tested by web-platform-tests?
No


Flag name on about://flags
controlled-frame-web-request-security-info

Finch feature name
kControlledFrameWebRequestSecurityInfo

Rollout plan
Will ship enabled for all users

Requires code in //chrome?
True

Tracking bug
https://g-issues.chromium.org/issues/462114142

Launch bug
https://launch.corp.google.com/launch/4436388

Measurement
Added new values to Extensions.WebRequest.EventListenerFlag which are securityInfo, securityInfoRawDer

Availability expectation
Feature is available only in Isolated Web Apps on desktop platforms. https://chromestatus.com/feature/5146307550248960

Adoption expectation
Expected to be used initially by a small number of developers inside Isolated Web Apps.

Adoption plan
Working directly with developers that are planning to rely on the API.

Estimated milestones
Shipping on desktop147
DevTrial on desktop145


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

No information provided

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5076692209106944?gate=6523426508505088

Links to previous Intent discussions
Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691df8c4.050a0220.2a427a.06b0.GAE%40google.com


This intent message was generated by Chrome Platform Status.

Mike Taylor

unread,
Dec 15, 2025, 9:36:16 AM (3 days ago) Dec 15
to Chromestatus, blin...@chromium.org, vk...@google.com, iwa-dev

cc iwa-dev@ so IWA OWNERs can approve (per https://www.chromium.org/blink/launching-features/isolated-web-apps/#step-6-prepare-to-ship, as Controlled Frame is an IWA API).

Could you at least link to the original IWA or Controlled Frame positions in the chromestatus entry? I think it's fine to not request a new signal, but providing some contextual pointers is useful.

Web developers: No signals
https://github.com/WICG/proposals/issues/245#issuecomment-3636480660 looks like a positive signal.

Other signals:

Security
This API exposes the server's leaf certificate and fingerprint to the web app. This is not considered a new security or privacy risk. A web app with Isolated Context and the direct-sockets permission can already open a raw TCP connection to any server, perform a (D)TLS handshake using a WASM library, and retrieve the exact same server certificate.

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No information provided


Debuggability
There's no devTools support for this feature. Since, this feature itself does not modify any web requests, it gives read-only view into server certificate.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
This feature is implemented on desktop platforms, although it will only be available to the end users on platforms that support Isolated Web Apps, which is currently only ChromeOS. Android is excluded for historical reasons, although there are no apparent interoperability blockers here.

Is this feature fully tested by web-platform-tests?
No 
The Controlled Frame chromestatus entry mentions a "psuedo-WPT test environment" at https://source.chromium.org/chromium/chromium/src/+/main:chrome/test/data/controlled_frame/, but I don't see any tests here for WebRequest.SecurityInfo. Any reason why?
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6938134e.050a0220.1dd095.0001.GAE%40google.com.

Reilly Grant

unread,
Dec 15, 2025, 8:40:38 PM (3 days ago) Dec 15
to Chromestatus, blin...@chromium.org, vk...@google.com, iwa-dev
IWA OWNER LGTM, this is an extension to an existing IWA-specific feature. Thank you for finding a solution which fits within the existing Web Request API.

Note, this still needs 3 LGTMs from Blink OWNERS.
Reilly Grant | Software Engineer | rei...@chromium.org | Google Chrome


--

Chris Harrelson

unread,
Dec 17, 2025, 11:08:57 AM (yesterday) Dec 17
to Reilly Grant, Chromestatus, blin...@chromium.org, vk...@google.com, iwa-dev
LGTM1

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMa%3DyZM2rOO3v4BwThnPs7LtGz03OZF9HVom2djt2M-9AQ%40mail.gmail.com.

Yoav Weiss (@Shopify)

unread,
Dec 17, 2025, 11:10:08 AM (yesterday) Dec 17
to blink-dev, Chris Harrelson, Chromestatus, blin...@chromium.org, vk...@google.com, iwa-dev, Reilly Grant
LGTM2 conditional on answers to the questions around tests

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6938134e.050a0220.1dd095.0001.GAE%40google.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Alex Russell

unread,
Dec 17, 2025, 11:22:16 AM (yesterday) Dec 17
to blink-dev, Yoav Weiss, Chris Harrelson, Chromestatus, blin...@chromium.org, vk...@google.com, iwa-dev, Reilly Grant
LGTM3 with the same conditions.

Best,

Alex

Reply all
Reply to author
Forward
0 new messages