Explain why only https urls should be associated.

[LuHuangMSFT]

This issue originated from a CL review discussion here: https://chromium-review.googlesource.com/c/chromium/src/+/2405696

The explainer can be more explicit about why only https origins are allowed to be required in url_handlers for URL handling.

---

Notes:

• There is an expectation that content in PWAs come from https URLs.
• We have not received any requests for http support.
• We can provide better security guarantees if only https URLs are allowed here.
  • If the association file is fetched from a http URL, it cannot be trusted to represent the consent of content owners.

[SamB]

What should happen if the user opens an old http URL that now redirects to https?

What if they opened it from outside the browser?

What if there's an MITM sending the wrong redirects?

It's certainly true that you don't want to fetch association files from plain http, but it should be fine to just use the https one for the same domain, shouldn't it?

It's also plausible that asking the PWA to handle an http URL would result in it accidentally making plain http requests.

Perhaps a mechanism to explicitly request that certain http:// URLs be rewritten to https:// before the PWA sees them?