Re: [whatwg/fetch] Double-keyed HTTP cache (#904) from Josh Karlin on 2019-05-09 (public-webapps-github@w3.org from May 2019)

From: Josh Karlin <notifications@github.com>
Date: Thu, 09 May 2019 09:26:09 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/904/490973491@github.com>

Very interested. We'd like to mitigate security issues such as [x-site search](https://terjanq.github.io/Bug-Bounty/Google/cache-attack-06jd2d2mz2r0/index.html).

Chrome's experimenting with double keying by (top-frame origin, url) as well as triple-keying (top-frame origin, initiator origin, url). Triple keying protects caches of frames within a page from each other. The performance hit from double-keying seems reasonable at first glance, but it's important that we address x-origin prefetch in a multi-keyed cache world. We don't yet have data on triple-keying.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/904#issuecomment-490973491

Received on Thursday, 9 May 2019 16:26:31 UTC