W3C home > Mailing lists > Public > www-tag@w3.org > January 2014

Origin-scoped cache/cookie/storage context

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 9 Jan 2014 11:17:32 +0000
Message-ID: <CADnb78gUR1EQi4pi0N=xkufjUO0MKGmhNeCk_Mn6KtJ9qvcGRQ@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Cc: TAG <www-tag@w3.org>
Currently within browsers the HTTP cache is shared across origins.
E.g. nsa.gov can do timing attacks on a resource hosted on
notforthensa.org. Similarly when evil.com fetches a resource on
authenticated.com, credentials will be included in the request if I
was in fact authenticated to authenticated.com through a cookie or
HTTP authentication.

Outside of the browser context, means have been provided to not share
these things. E.g. a Firefox OS hosted web app has no shared context.
If you are authenticated to Facebook, you would need to
re-authenticate within the app. Opera Widgets had the same back in the
day (primarily because you could do cross-origin XMLHttpRequest
without CORS).

It might be worth giving this feature to web pages.

It would provide defense-in-depth and has some similar capabilities to
From-Origin in that you can no longer do timing attacks or test
whether a fetch returns an image or an error depending on whether you
are authenticated.


-- 
http://annevankesteren.nl/
Received on Thursday, 9 January 2014 11:18:01 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:23 UTC