Last month, we
sent an intent to prototype for a more secure browser API for
mdoc selection, which we believe will more safely enable mobile driver’s licenses on the web across multiple wallets. In addition to allowing sites to request real-world identity information for opening a bank account, for example, this dedicated API will also provide users with more transparency and control into what personal information is then shared with the website requesting it.
As prototyping of the new API begins, we are considering blocking the URI schemes
mdoc and
mdoc-openid4vp from being forwarded directly to the OS (e.g. as Intents on Android). These schemes have been proposed as a way to use Chromium's support for websites opening complementary apps, to instead open and communicate directly with arbitrary wallet apps. We believe this mechanism is more prone to security risks for consumers, such as phishing attacks, by not providing enough information to the browser to be able to explain the request to the user, and that it prevents the operating system from mediating such requests.
For similar reasons, Android is exploring a complementary, API-based solution, instead of supporting the URL schemes mentioned above.
Like all Chromium projects, the new API will be developed in the open and we’ll be engaging with the developers, regulators, and industry groups for feedback.
We are collecting feedback and metrics on this deprecation plan and will follow up with a bug and feature dashboard entry when pertinent.