Intent to Deprecate and Remove: [un]registerProtocolHandler() APIs in non-secure contexts

Skip to first unread message

Eric Lawrence

Nov 20, 2019, 11:41:19 AM11/20/19
to blink-dev
Intent to Deprecate and Remove: [un]registerProtocolHandler() APIs in non-secure contexts

Note: This is the same as!searchin/blink-dev/intent|sort:date/blink-dev/0bfCDijaUzs/8-6en3oNBgAJ, but using the template in a new thread as requested. The original thread has 3 API Owner LGTMs.

Primary eng (and PM) emails

HTML's registerProtocolHandler() gives a webpage a mechanism to register itself to handle a protocol after a user consents. For example, a web-based email application could register to handle the mailto: scheme. A corresponding unregisterProtocolHandler() API allows a site to abandon its protocol-handling registration.

A Chromium CL implementing this change is in review: 

These two APIs expose a powerful capability (reconfigure client state, subsequently transmit potentially-sensitive data over the network) thus they should only be exposed in secure contexts. The same-origin restriction for the handler's URL target means that limiting protocol registration to secure contexts will also limit handlers to secure contexts.

A pull request to update the HTML specification has been approved.

Interoperability and Compatibility Risk

Edge: Edge Spartan didn't have this API. Edge Anaheim is landing this change in Chromium.

Firefox: Supported, Firefox 62 removed this API from non-secure contexts:

Safari: Protocol handling APIs are not supported. I'll try to find someone to comment here, but WebKit's bugs to implement the API are >7 years old, so it's unclear who might have as strong POV.

Alternative implementation suggestion for web developers

Use a secure context to call the API (e.g. turn on HTTPS).

Usage information from UseCounter

Metrics indicate that RegisterProtocolHandlerInsecureOrigin usage is very low (0.000559% of page loads).

Entry on the feature dashboard

Requesting approval to remove too?

“Yes”, in M80.

Chris Harrelson

Nov 21, 2019, 3:31:57 PM11/21/19
to Eric Lawrence, blink-dev
Just for the record, the previous 3 LGTMs still stand.

Good luck shipping this removal!

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit
Reply all
Reply to author
0 new messages