Deprecate HTTP-Based Public Key Pinning
HTTP-Based Public Key Pinning (HPKP) was intended to allow websites to send an HTTP header that pins one or more of the public keys present in the site's certificate chain. It has very low adoption, and although it provides security against certificate mis-issuance, it also creates risks of denial of service and hostile pinning.
To defend against certificate misissuance, web developers should use the
Expect-CT header, including its reporting function.
Expect-CT is safer than HPKP
due to the flexibility it gives site operators to recover from configuration
errors, and due to the built-in support offered by a number of certificate authorities.
We expect to remove this in Chrome 69.
Deprecate AppCache on Non-secure Contexts
AppCache over HTTP is deprecated. AppCache is a powerful feature that allows offline and
persistent access to an origin. Allowing AppCache to be used over non-secure contexts
makes it an attack vector for cross-site scripting hacks.
Removal is expected in Chrome 69.
-webkit- prefixed CSS properties will be removed in this release:
-webkit-box-flex-group: This property has virtually zero usage based on the UseCounter in stable.
- Percent (%) values for
-webkit-line-clamp: There is interest in finding a standards-based solution to the number values use case, but we haven't seen demand for the %-based values.
-webkit-box-lines: This property was never fully implemented. It was originally intended such that a "vertical"/"horizontal"
-webkit-boxcould have multiple rows/columns.
To keep the platform healthy, we sometimes remove APIs from the Web Platform which have run their course. There can be many reasons why we would remove an API, such as:
- They are superseded by newer APIs.
- They are updated to reflect changes to specifications to bring alignment and consistency with other browsers.
- They are early experiments that never came to fruition in other browsers and thus can increase the burden of support for web developers.
Some of these changes will have an effect on a very small number of sites. To mitigate issues ahead of time, we try to give developers advanced notice so they can make the required changes to keep their sites running.
Chrome currently has a process for deprecations and removals of API's, essentially:
- Announce on the blink-dev mailing list.
- Set warnings and give time scales in the Chrome DevTools Console when usage is detected on the page.
- Wait, monitor, and then remove the feature as usage drops.
You can find a list of all deprecated features on chromestatus.com using the deprecated filter and removed features by applying the removed filter. We will also try to summarize some of the changes, reasoning, and migration paths in these posts.