Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to Unship: registerProtocolHandler() over insecure contexts
70 views
Skip to first unread message
Jonathan Kingston
Feb 5, 2018, 5:44:46 AM2/5/18
to dev-platform
registerProtocolHandler() gives a webpage a mechanism to register itself to
control a protocol after a user consents. For example, a chat application
could control the irc: scheme (named protocol in the API).
Chromes current telemetry suggests a usage of 0.002836% on insecure pages
which is low enough to deprecate:
https://www.chromestatus.com/metrics/feature/popularity#RegisterProtocolHandlerInsecureOrigin
.
Due to the API being able to send URL’s path and parameters over insecure
pages and the low usage of the API I’d like a fast deprecation here.
Content that wants to keep this functionality should protect their users
with HTTPS.
Work is happening here: https://bugzilla.mozilla.org/show_bug.cgi?id=1429732
.
In Firefox 60 I plan to submit the code for deprecation, this will include:
-
A pref “dom.registerProtocolHandler.insecure.enabled” which controls if
the API is enabled
-
When set to false, the API will be removed from pages with an
insecure context.
-
This is identical to using [SecureContext] in WebIDL, but only when
the pref is set to false.
-
A default pref value in Nightly of false - disabling the API for Nightly
-
Other builds will receive a deprecation warning which also implements
telemetry for this feature.
Assuming there are no issues, In Firefox 62 I plan to remove usage of this
API on all builds for insecure contexts.
Thanks
Jonathan
control a protocol after a user consents. For example, a chat application
could control the irc: scheme (named protocol in the API).
Chromes current telemetry suggests a usage of 0.002836% on insecure pages
which is low enough to deprecate:
https://www.chromestatus.com/metrics/feature/popularity#RegisterProtocolHandlerInsecureOrigin
.
Due to the API being able to send URL’s path and parameters over insecure
pages and the low usage of the API I’d like a fast deprecation here.
Content that wants to keep this functionality should protect their users
with HTTPS.
Work is happening here: https://bugzilla.mozilla.org/show_bug.cgi?id=1429732
.
In Firefox 60 I plan to submit the code for deprecation, this will include:
-
A pref “dom.registerProtocolHandler.insecure.enabled” which controls if
the API is enabled
-
When set to false, the API will be removed from pages with an
insecure context.
-
This is identical to using [SecureContext] in WebIDL, but only when
the pref is set to false.
-
A default pref value in Nightly of false - disabling the API for Nightly
-
Other builds will receive a deprecation warning which also implements
telemetry for this feature.
Assuming there are no issues, In Firefox 62 I plan to remove usage of this
API on all builds for insecure contexts.
Thanks
Jonathan
0 new messages