updated feature: WebRequest.SecurityInfo in Controlled Frame

4 views
Skip to first unread message

Chromestatus

unread,
Nov 17, 2025, 9:13:36 AMNov 17
to iwa...@chromium.org
Chrome Platform Status
 Updated feature entry:
WebRequest.SecurityInfo in Controlled Frame
Updates made by vk...@google.com:
  • explainer_links:
    Old: []
    New: https://github.com/explainers-by-googlers/security-info-web-request

  • requires_embedder_support:
    Old: False
    New: True

Your next steps:

You are receiving this email because:

  • You are subscribed to all IWA features

Unsubscribe

Chromestatus

unread,
Nov 18, 2025, 10:15:24 AMNov 18
to iwa...@chromium.org
Chrome Platform Status
Updates made by vk...@google.com:
  • spec_mentor_emails:
    Old: []
    New: dom@chromium.org

Your next steps:

Chromestatus

unread,
Nov 19, 2025, 12:00:24 PMNov 19
to iwa...@chromium.org
Chrome Platform Status
Updates made by vk...@google.com:
  • initial_public_proposal_url:
    Old: None
    New: https://github.com/WICG/proposals/issues/245

  • motivation:
    Old: None
    New: Web apps sometimes need to establish secure raw TCP/UDP connections (e.g., via Direct Sockets) for custom protocols, often to support legacy servers that cannot be updated to modern alternatives like WebTransport. Unlike standard HTTPS, these raw sockets don't have a built-in mechanism to verify the server's TLS certificate against a trusted root store. This proposal introduces a WebRequest SecurityInfo API for ControlledFrame. It allows a web app to intercept an HTTPS, WSS or WebTransport request to a server, retrieve the server's certificate fingerprint (as verified by the browser), and then use that fingerprint to manually verify the certificate of a separate raw TCP/UDP connection to the same server. This provides a simple way for the app to confirm it's talking to the correct server.

Your next steps:

Chromestatus

unread,
Nov 19, 2025, 12:04:54 PMNov 19
to iwa...@chromium.org
Chrome Platform Status
Updates made by vk...@google.com:
  • active_stage_id:
    Old: 5144859111456768
    New: 6263500959776768

  • shipping_year:
    Old: 2025
    New: 2026

  • bug_url:
    Old: None
    New: https://g-issues.chromium.org/issues/462114142

  • launch_bug_url:
    Old: None
    New: https://launch.corp.google.com/launch/4436388

Your next steps:

Chromestatus

unread,
Nov 21, 2025, 12:50:28 PM (12 days ago) Nov 21
to iwa...@chromium.org
Chrome Platform Status
Updates made by elmira...@google.com:
  • enterprise_impact:
    Old: 2
    New: 2

Your next steps:

Chromestatus

unread,
Nov 21, 2025, 12:50:34 PM (12 days ago) Nov 21
to iwa...@chromium.org
Chrome Platform Status
Updates made by elmira...@google.com:
  • enterprise_impact:
    Old: 1
    New: 2

Your next steps:

Chromestatus

unread,
Nov 21, 2025, 12:50:38 PM (12 days ago) Nov 21
to iwa...@chromium.org
Chrome Platform Status
Updates made by elmira...@google.com:
  • enterprise_impact:
    Old: 2
    New: 2

Your next steps:

Chromestatus

unread,
Nov 24, 2025, 8:53:43 AM (10 days ago) Nov 24
to iwa...@chromium.org
Chrome Platform Status
Updates made by vk...@google.com:
  • dt_milestone_desktop_start:
    Old: None
    New: 145

  • all_platforms_descr:
    Old: None
    New: This feature is implemented on desktop platforms, although it will only be available to the end users on platforms that support Isolated Web Apps, which is currently only ChromeOS. Android is excluded for historical reasons, although there are no apparent interoperability blockers here.

  • debuggability:
    Old: None
    New: There's no devTools support for this feature. Since, this feature itself does not modify any web requests, it gives read-only view into server certificate.

  • doc_links:
    Old: []
    New: https://github.com/explainers-by-googlers/security-info-web-request

  • flag_name:
    Old: None
    New: controlled-frame-web-request-security-info

  • finch_name:
    Old: None
    New: kControlledFrameWebRequestSecurityInfo

  • interop_compat_risks:
    Old: None
    New: Other browsers may choose to implement this API.

  • measurement:
    Old: None
    New: Added new values to Extensions.WebRequest.EventListenerFlag which are securityInfo, securityInfoRawDer

  • security_risks:
    Old: None
    New: This API exposes the server's leaf certificate and fingerprint to the web app. This is not considered a new security or privacy risk. A web app with Isolated Context and the direct-sockets permission can already open a raw TCP connection to any server, perform a (D)TLS handshake using a WASM library, and retrieve the exact same server certificate.

Your next steps:

Chromestatus

unread,
Nov 27, 2025, 11:19:54 AM (7 days ago) Nov 27
to iwa...@chromium.org
Chrome Platform Status
Updates made by vk...@google.com:
  • tag_review:
    Old: None
    New: Tag does not review Isolated Web Apps. It was stated publicly here https://github.com/w3ctag/design-reviews/issues/842#issuecomment-2917031448

Your next steps:

Chromestatus

unread,
Nov 27, 2025, 12:16:05 PM (6 days ago) Nov 27
to iwa...@chromium.org
Chrome Platform Status
Updates made by vk...@google.com:
  • shipped_milestone:
    Old: None
    New: 147

  • adoption_expectation:
    Old: None
    New: Expected to be used initially by a small number of developers inside Isolated Web Apps.

  • adoption_plan:
    Old: None
    New: Working directly with developers that are planning to rely on the API.

  • availability_expectation:
    Old: None
    New: Feature is available only in Isolated Web Apps on desktop platforms. https://chromestatus.com/feature/5146307550248960

Your next steps:

Chromestatus

unread,
Dec 1, 2025, 12:50:00 PM (2 days ago) Dec 1
to iwa...@chromium.org
Chrome Platform Status
Updates made by sada...@google.com:
Your next steps:

Chromestatus

unread,
Dec 2, 2025, 1:30:09 PM (yesterday) Dec 2
to iwa...@chromium.org
Chrome Platform Status
Updates made by nsamar...@google.com:
Your next steps:
Reply all
Reply to author
Forward
0 new messages