- From: Henri Sivonen <hsivonen@hsivonen.fi>
- Date: Fri, 10 Jan 2014 11:12:02 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>, TAG <www-tag@w3.org>
On Thu, Jan 9, 2014 at 1:17 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> Currently within browsers the HTTP cache is shared across origins.
> E.g. nsa.gov can do timing attacks on a resource hosted on
> notforthensa.org.
This could be addressed by using the { origin of top-level browsing
context, resource URL } as the cache key instead of using just {
resource URL } as the cache key. This would result in cache misses for
stuff like tweet button images or jQuery loaded from a well-known
central location.
Have you tried to find out if the reason for the lack of such cache
partitioning by top-level origin is a matter of the issue not having
been a high enough priority to implement *yet* or an issue of
performance concern about the cache misses?
--
Henri Sivonen
hsivonen@hsivonen.fi
https://hsivonen.fi/
Received on Friday, 10 January 2014 09:12:33 UTC