Thanks for following up Vlad - happy shipping. :) On 1/5/26 8:19 a.m., 'Vlad Krot' via blink-dev wrote:
Thanks for the review. I have added pseudo-wpt test and reference to existing browser tests:Web Platform Tests or other automated test description The pseudo-wpt test is implemented here chrome/test/data/controlled_frame/webrequest_read.window.js. Command to run it - `autoninja -C out/Default browser_tests && out/Default/browser_tests --gtest_filter=ControlledFrameWptBrowserTest.Run/webrequest_read` - pseudo-wpt is a historical artifact of parent feature controlled frame. More info is in the Web Platform Tests section https://chromestatus.com/feature/5199572022853632?gate=5134483605422080 <https://chromestatus.com/feature/5199572022853632?gate=5134483605422080> - this test only supports `state="secure"`, because an endpoint with invalid certificate is not possible to use in the wpt environment. There's more complete browser tests which covers all possible cases and states: chrome/browser/extensions/api/web_request/web_request_apitest.cc gtest_filter=ExtensionWebRequestApiTest.SecurityInfo*, SecurityInfoBrokenWebRequestApiTest.*On Sat, Dec 27, 2025 at 3:21 AM วัลชัย เจริญรักษา <[email protected]> wrote:ในวันที่ พ. 17 ธ.ค. 2025 23:22 น. Alex Russell <[email protected]> เขียนว่า: LGTM3 with the same conditions. Best, Alex On Wednesday, December 17, 2025 at 8:10:08 AM UTC-8 Yoav Weiss wrote: LGTM2 conditional on answers to the questions around tests On Wednesday, December 17, 2025 at 5:08:57 PM UTC+1 Chris Harrelson wrote: LGTM1 On Mon, Dec 15, 2025 at 5:40 PM Reilly Grant <[email protected]> wrote: IWA OWNER LGTM, this is an extension to an existing IWA-specific feature. Thank you for finding a solution which fits within the existing Web Request API. Note, this still needs 3 LGTMs from Blink OWNERS. Reilly Grant | Software Engineer |[email protected] |Google Chrome <https://www.google.com/chrome> On Tue, Dec 9, 2025 at 4:17 AM Chromestatus <[email protected]> wrote: *Contact emails* [email protected] *Explainer* https://github.com/explainers-by-googlers/security-info-web-request *Specification* https://github.com/WICG/controlled-frame/pull/151 *Design docs* https://github.com/explainers-by-googlers/security-info-web-request *Summary* This proposal introduces a WebRequest.SecurityInfo API for ControlledFrame. It allows a web app to intercept an HTTPS, WSS or WebTransport request to a server, retrieve the server's certificate fingerprint (as verified by the browser), and then use that fingerprint to manually verify the certificate of a separate raw TCP/UDP connection to the same server. This provides a simple way for the app to confirm it's talking to the correct server. *Blink component* Blink <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%22> *Web Feature ID* Missing feature *Motivation* Web apps sometimes need to establish secure raw TCP/UDP connections (e.g., via Direct Sockets) for custom protocols, often to support legacy servers that cannot be updated to modern alternatives like WebTransport. Unlike standard HTTPS, these raw sockets don't have a built-in mechanism to verify the server's TLS certificate against a trusted root store. This proposal introduces a WebRequest SecurityInfo API for ControlledFrame. It allows a web app to intercept an HTTPS, WSS or WebTransport request to a server, retrieve the server's certificate fingerprint (as verified by the browser), and then use that fingerprint to manually verify the certificate of a separate raw TCP/UDP connection to the same server. This provides a simple way for the app to confirm it's talking to the correct server. *Initial public proposal* https://github.com/WICG/proposals/issues/245 *TAG review* Tag does not review Isolated Web Apps. It was stated publicly here https://github.com/w3ctag/design-reviews/issues/842#issuecomment-2917031448 *TAG review status* Pending *Risks* *Interoperability and Compatibility* Other browsers may choose to implement this API. /Gecko/: No signal /WebKit/: No signal /Web developers/: No signals /Other signals/: *Security* This API exposes the server's leaf certificate and fingerprint to the web app. This is not considered a new security or privacy risk. A web app with Isolated Context and the direct-sockets permission can already open a raw TCP connection to any server, perform a (D)TLS handshake using a WASM library, and retrieve the exact same server certificate. *WebView application risks* Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? /No information provided/ *Debuggability* There's no devTools support for this feature. Since, this feature itself does not modify any web requests, it gives read-only view into server certificate. *Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?* No This feature is implemented on desktop platforms, although it will only be available to the end users on platforms that support Isolated Web Apps, which is currently only ChromeOS. Android is excluded for historical reasons, although there are no apparent interoperability blockers here. *Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* No *Flag name on about://flags* controlled-frame-web-request-security-info *Finch feature name* kControlledFrameWebRequestSecurityInfo *Rollout plan* Will ship enabled for all users *Requires code in //chrome?* True *Tracking bug* https://g-issues.chromium.org/issues/462114142 *Launch bug* https://launch.corp.google.com/launch/4436388 *Measurement* Added new values to Extensions.WebRequest.EventListenerFlag which are securityInfo, securityInfoRawDer *Availability expectation* Feature is available only in Isolated Web Apps on desktop platforms. https://chromestatus.com/feature/5146307550248960 *Adoption expectation* Expected to be used initially by a small number of developers inside Isolated Web Apps. *Adoption plan* Working directly with developers that are planning to rely on the API. *Estimated milestones* Shipping on desktop 147 DevTrial on desktop 145 *Anticipated spec changes* Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). /No information provided/ *Link to entry on the Chrome Platform Status* https://chromestatus.com/feature/5076692209106944?gate=6523426508505088 *Links to previous Intent discussions* Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691df8c4.050a0220.2a427a.06b0.GAE%40google.com This intent message was generated by Chrome Platform Status <https://chromestatus.com>.-- You received this message because you aresubscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6938134e.050a0220.1dd095.0001.GAE%40google.com <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6938134e.050a0220.1dd095.0001.GAE%40google.com?utm_medium=email&utm_source=footer>.-- You received this message because you aresubscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMa%3DyZM2rOO3v4BwThnPs7LtGz03OZF9HVom2djt2M-9AQ%40mail.gmail.com <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMa%3DyZM2rOO3v4BwThnPs7LtGz03OZF9HVom2djt2M-9AQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.-- You received this message because you are subscribed to theGoogle Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f62e6252-d2d2-4f1c-8fe2-aa9966b70fbbn%40chromium.org <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f62e6252-d2d2-4f1c-8fe2-aa9966b70fbbn%40chromium.org?utm_medium=email&utm_source=footer>. --You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACrnVjErP0s3er7zQOPhDeB%2BiBgy5uneJgMQ4nP%3DJ15XR5ixPw%40mail.gmail.com <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACrnVjErP0s3er7zQOPhDeB%2BiBgy5uneJgMQ4nP%3DJ15XR5ixPw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
-- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2769f9f7-9538-4b72-84b7-324915ef4ab0%40chromium.org.
