updated feature: WebRequest.SecurityInfo in Controlled Frame
6 views
Skip to first unread message
Chromestatus
Nov 17, 2025, 9:13:36 AMNov 17
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by vk...@google.com:
- explainer_links:
Old: []
New: https://github.com/explainers-by-googlers/security-info-web-request - requires_embedder_support:
Old: False
New: True
Your next steps:
You are receiving this email because:
- You are subscribed to all IWA features
Chromestatus
Nov 18, 2025, 10:15:24 AMNov 18
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by vk...@google.com:
- spec_mentor_emails:
Old: []
New: dom@chromium.org
Your next steps:
Chromestatus
Nov 19, 2025, 12:00:24 PMNov 19
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by vk...@google.com:
- initial_public_proposal_url:
Old: None
New: https://github.com/WICG/proposals/issues/245 - motivation:
Old: None
New: Web apps sometimes need to establish secure raw TCP/UDP connections (e.g., via Direct Sockets) for custom protocols, often to support legacy servers that cannot be updated to modern alternatives like WebTransport. Unlike standard HTTPS, these raw sockets don't have a built-in mechanism to verify the server's TLS certificate against a trusted root store. This proposal introduces a WebRequest SecurityInfo API for ControlledFrame. It allows a web app to intercept an HTTPS, WSS or WebTransport request to a server, retrieve the server's certificate fingerprint (as verified by the browser), and then use that fingerprint to manually verify the certificate of a separate raw TCP/UDP connection to the same server. This provides a simple way for the app to confirm it's talking to the correct server.
Your next steps:
Chromestatus
Nov 19, 2025, 12:04:54 PMNov 19
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by vk...@google.com:
- active_stage_id:
Old: 5144859111456768
New: 6263500959776768 - shipping_year:
Old: 2025
New: 2026 - bug_url:
Old: None
New: https://g-issues.chromium.org/issues/462114142 - launch_bug_url:
Old: None
New: https://launch.corp.google.com/launch/4436388
Your next steps:
Chromestatus
Nov 21, 2025, 12:50:28 PMNov 21
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by elmira...@google.com:
- enterprise_impact:
Old: 2
New: 2
Your next steps:
Chromestatus
Nov 21, 2025, 12:50:34 PMNov 21
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by elmira...@google.com:
- enterprise_impact:
Old: 1
New: 2
Your next steps:
Chromestatus
Nov 21, 2025, 12:50:38 PMNov 21
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by elmira...@google.com:
- enterprise_impact:
Old: 2
New: 2
Your next steps:
Chromestatus
Nov 24, 2025, 8:53:43 AMNov 24
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by vk...@google.com:
- dt_milestone_desktop_start:
Old: None
New: 145 - all_platforms_descr:
Old: None
New: This feature is implemented on desktop platforms, although it will only be available to the end users on platforms that support Isolated Web Apps, which is currently only ChromeOS. Android is excluded for historical reasons, although there are no apparent interoperability blockers here. - debuggability:
Old: None
New: There's no devTools support for this feature. Since, this feature itself does not modify any web requests, it gives read-only view into server certificate. - doc_links:
Old: []
New: https://github.com/explainers-by-googlers/security-info-web-request - flag_name:
Old: None
New: controlled-frame-web-request-security-info - finch_name:
Old: None
New: kControlledFrameWebRequestSecurityInfo - interop_compat_risks:
Old: None
New: Other browsers may choose to implement this API. - measurement:
Old: None
New: Added new values to Extensions.WebRequest.EventListenerFlag which are securityInfo, securityInfoRawDer - security_risks:
Old: None
New: This API exposes the server's leaf certificate and fingerprint to the web app. This is not considered a new security or privacy risk. A web app with Isolated Context and the direct-sockets permission can already open a raw TCP connection to any server, perform a (D)TLS handshake using a WASM library, and retrieve the exact same server certificate.
Your next steps:
Chromestatus
Nov 27, 2025, 11:19:54 AMNov 27
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by vk...@google.com:
- tag_review:
Old: None
New: Tag does not review Isolated Web Apps. It was stated publicly here https://github.com/w3ctag/design-reviews/issues/842#issuecomment-2917031448
Your next steps:
Chromestatus
Nov 27, 2025, 12:16:05 PMNov 27
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by vk...@google.com:
- shipped_milestone:
Old: None
New: 147 - adoption_expectation:
Old: None
New: Expected to be used initially by a small number of developers inside Isolated Web Apps. - adoption_plan:
Old: None
New: Working directly with developers that are planning to rely on the API. - availability_expectation:
Old: None
New: Feature is available only in Isolated Web Apps on desktop platforms. https://chromestatus.com/feature/5146307550248960
Your next steps:
Chromestatus
Dec 1, 2025, 12:50:00 PMDec 1
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by sada...@google.com:
- Testing review status https://chromestatus.com/feature/5076692209106944?gate=5397526601662464:
Old: no_response
New: na
Your next steps:
Chromestatus
Dec 2, 2025, 1:30:09 PMDec 2
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by nsamar...@google.com:
- Enterprise review status https://chromestatus.com/feature/5076692209106944?gate=4834576648241152:
Old: no_response
New: approved
Your next steps:
Chromestatus
Dec 4, 2025, 6:41:29 AMDec 4
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by vk...@google.com:
- api_spec:
Old: False
New: True - spec_link:
Old: None
New: https://wicg.github.io/controlled-frame/#api-web-request - standard_maturity:
Old: 0
New: Proposal in a personal repository, no adoption from community
Your next steps:
Chromestatus
Dec 4, 2025, 6:41:56 AMDec 4
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by vk...@google.com:
- spec_link:
Old: https://wicg.github.io/controlled-frame/#api-web-request
New: https://github.com/WICG/controlled-frame/pull/151
Your next steps:
Chromestatus
Dec 9, 2025, 4:47:16 AMDec 9
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by antonio...@google.com:
- WP Security review status https://chromestatus.com/feature/5076692209106944?gate=6241951531794432:
Old: no_response
New: approved
Your next steps:
Chromestatus
Dec 10, 2025, 9:07:55 AMDec 10
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by t...@google.com:
- Privacy review status https://chromestatus.com/feature/5076692209106944?gate=5116051624951808:
Old: no_response
New: approved
Your next steps:
Chromestatus
Dec 11, 2025, 8:09:04 AM (13 days ago) Dec 11
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by vk...@google.com:
- spec_link:
Old: https://github.com/WICG/controlled-frame/pull/151
New: https://wicg.github.io/controlled-frame/#dictdef-securityinfo - standard_maturity:
Old: Proposal in a personal repository, no adoption from community
New: Specification currently under development in a Working Group
Your next steps:
Chromestatus
Dec 15, 2025, 5:12:49 AM (9 days ago) Dec 15
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by pfa...@google.com:
- Debuggability review status https://chromestatus.com/feature/5076692209106944?gate=5960476555083776:
Old: no_response
New: approved
Your next steps:
Chromestatus
Dec 15, 2025, 9:36:08 AM (9 days ago) Dec 15
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by mike...@chromium.org:
- API Owners review status https://chromestatus.com/feature/5076692209106944?gate=6523426508505088:
Old: no_response
New: needs_work
Note: Feature owners must press the "Re-request review" button after requested changes have been completed.
Your next steps:
Chromestatus
Dec 17, 2025, 11:08:58 AM (7 days ago) Dec 17
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by chri...@chromium.org:
- API Owners review status https://chromestatus.com/feature/5076692209106944?gate=6523426508505088:
Old: no_response
- New: approved
Your next steps:
Chromestatus
Dec 17, 2025, 11:09:29 AM (7 days ago) Dec 17
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by sligh...@chromium.org:
- API Owners review status https://chromestatus.com/feature/5076692209106944?gate=6523426508505088:
Old: no_response
New: approved
Your next steps:
Chromestatus
Dec 17, 2025, 11:10:28 AM (7 days ago) Dec 17
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by yoav...@chromium.org:
- API Owners review status https://chromestatus.com/feature/5076692209106944?gate=6523426508505088:
Old: no_response
New: approved
Your next steps:
Chromestatus
Dec 23, 2025, 9:42:20 AM (yesterday) Dec 23
to iwa...@chromium.org
Chrome Platform Status
|
|
Updated feature entry: |
| WebRequest.SecurityInfo in Controlled Frame |
Updates made by elmira...@google.com:
- is_releasenotes_content_reviewed:
Old: False
New: True - summary:
Old: This proposal introduces a WebRequest.SecurityInfo API for ControlledFrame. It allows a web app to intercept an HTTPS, WSS or WebTransport request to a server, retrieve the server's certificate fingerprint (as verified by the browser), and then use that fingerprint to manually verify the certificate of a separate raw TCP/UDP connection to the same server. This provides a simple way for the app to confirm it's talking to the correct server.
New: This feature introduces a WebRequest.SecurityInfo API for [ControlledFrame](https://developer.chrome.com/docs/iwa/controlled-frame). It allows a web app to intercept an HTTPS, WSS or WebTransport request to a server, retrieve the server's certificate fingerprint (as verified by the browser), and then use that fingerprint to manually verify the certificate of a separate raw TCP/UDP connection to the same server. This provides a simple way for the app to confirm it's talking to the correct server.
Your next steps:
Reply all
Reply to author
Forward
0 new messages