the Chromium logo

The Chromium Projects

Deprecating Powerful Features on Insecure Origins

Proposal

As browser users manage more and more of their day-to-day lives online, we (Chrome Security) believe they should reasonably expect that browsing and interacting with the web is secure and protects their sensitive information across their entire browsing experience. Protecting users’ privacy and security requires connecting to secure origins wherever possible. Practically speaking, this means restricting features to HTTPS in lieu of HTTP, especially for powerful web platform features.

While strong progress has been made in increasing HTTPS adoption on the web over the past several years, there are still millions of sites that do not support secure connections over HTTPS, which means that support for HTTP isn’t going away in the foreseeable future. As long as a significant portion of browsing the web can only happen over HTTP, it’s important that we take steps to protect and inform users whenever we cannot guarantee that their connections are secure.

Continuing from our past efforts to restrict new features to secure origins, we are taking further steps on our path of deprecating powerful features on insecure origins in order to mitigate the most privacy- and security-sensitive risks of using HTTP in Chrome. To guide our efforts going forward, we have created the following principles, which we will use to prioritize future work in this area:

Powerful Features restricted to Secure Origins

A (non-exhaustive) list of powerful features we have already restricted to secure origins includes:

Testing Powerful Features

If you are a developer that needs to keep testing a site using a powerful feature that has been restricted to secure origins, this article provides helpful instructions for a variety of options for local development, including testing on http://localhost where possible, creating and using self-signed certificates, as well as creating, installing, and managing self-signed CAs to issue testing and development certificates.

In addition to this guidance, there are some Chrome and Android-specific tips that can help when developing and testing features restricted to secure origins:

  1. You can use chrome://flags/#unsafely-treat-insecure-origin-as-secure to run Chrome, or use the --unsafely-treat-insecure-origin-as-secure="http://example.com" flag (replacing "example.com" with the origin you actually want to test), which will treat that origin as secure for this session. Note that on Android and ChromeOS the command-line flag requires having a device with root access/dev mode.

  2. On a local network, you can test on your Android device using port forwarding to access a remote host as localhost.

We continue to invest in improved methods for testing powerful features on insecure origins, and we'll update this page once we've developed them. Feel free to contribute ideas to security-dev@chromium.org.