Features That Require Permissions Need To Use Secure Contexts
Google engineers have announced that the Presentation API will be disabled over insecure origins in Chrome 67, due for release around Q2 of 2018.
The Presentation API allows a device to display content on a second screen, such as a projector or TV. One of the more notable uses of the Presentation API is Google’s “Casting” feature available on Chrome, Android, and through the Chrome Cast device.
The Presentation API is either used through the Cast SDK, or directly in Chrome on its own. Both implementations of the Presentation API will be deprecated and disabled over HTTP and other unsecure protocols and origins. This means the Cast SDK will also require HTTPS or other secure methods.
HTTPS is the secure origin that comes to mind first, but Chrome also considers localhost, file://, chrome-extension://, and a few other origins to be secure.
In a 2016 interview with Wired, Parisa Tabriz, head of Chrome security, said that “Google wants web pages to be able to reach deeper into your computer’s resources, accessing the same sensitive information, like location and offline data, that apps routinely use.”
Google’s security team is making sure that Chrome uses that data safely. That is (part of the reason) why Chrome originally proposed Deprecating Powerful Features on Insecure Origins (and the same proposal for new features) with the goal of making sure any feature that can access particularly sensitive information does so over an authenticated, encrypted, and secure medium.
Chrome has already disabled geolocation on insecure origins and plans to do so with a number of other features including device orientation, AppCache, and more.
The proposed deprecation for the Presentation API will see a console warning added for insecure uses of the API in Chrome 61 (due to be released last week of July 2017) and disabled in version 67.