Intent to Deprecate and Remove: [un]registerProtocolHandler() APIs in non-secure contexts

[Eric Lawrence]

Intent to Deprecate and Remove: [un]registerProtocolHandler() APIs in non-secure contexts

Note: This is the same as https://groups.google.com/a/chromium.org/forum/#!searchin/blink-dev/intent|sort:date/blink-dev/0bfCDijaUzs/8-6en3oNBgAJ, but using the template in a new thread as requested. The original thread has 3 API Owner LGTMs.

Primary eng (and PM) emails

elaw...@chromium.org

Summary
HTML's registerProtocolHandler() gives a webpage a mechanism to register itself to handle a protocol after a user consents. For example, a web-based email application could register to handle the mailto: scheme. A corresponding unregisterProtocolHandler() API allows a site to abandon its protocol-handling registration.

A Chromium CL implementing this change is in review: 

 

  https://chromium-review.googlesource.com/c/chromium/src/+/1892213/

  https://crbug.com/882284

Motivation

These two APIs expose a powerful capability (reconfigure client state, subsequently transmit potentially-sensitive data over the network) thus they should only be exposed in secure contexts. The same-origin restriction for the handler's URL target means that limiting protocol registration to secure contexts will also limit handlers to secure contexts.

A pull request to update the HTML specification https://github.com/whatwg/html/pull/5080 has been approved.

Interoperability and Compatibility Risk

Edge: Edge Spartan didn't have this API. Edge Anaheim is landing this change in Chromium.

Firefox: Supported, Firefox 62 removed this API from non-secure contexts: 

  https://groups.google.com/forum/#!topic/mozilla.dev.platform/zzBWOPMPPs0/discussion

  https://www.fxsitecompat.dev/en-CA/docs/2018/support-for-registerprotocolhandler-on-insecure-sites-has-been-deprecated/

Safari: Protocol handling APIs are not supported. I'll try to find someone to comment here, but WebKit's bugs to implement the API are >7 years old, so it's unclear who might have as strong POV.

Alternative implementation suggestion for web developers

Use a secure context to call the API (e.g. turn on HTTPS).

Usage information from UseCounter

Metrics indicate that RegisterProtocolHandlerInsecureOrigin usage is very low (0.000559% of page loads).

Entry on the feature dashboard

https://chromestatus.com/feature/5756636801007616

Requesting approval to remove too?

“Yes”, in M80.

[Chris Harrelson]

Just for the record, the previous 3 LGTMs still stand.

Good luck shipping this removal!

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bf53f776-a57e-46f2-97f5-ad5aa1244c1e%40chromium.org.