Re: [whatwg/fetch] COEP:credentialless and the HTTP cache. (#1253)

> Firefox and the spec behaved this way for many years, this might mean this isn't a big deal? It has stood the test of time.

We (Chrome) have disagreed here about whether the spec behaviour is the right behaviour, as discussed on the other bug.

> * `CrossOriginIsolation` requires HTTPS, so the only intermediary caches that matter are the ones owning the website SSL private key. So a potential leak can only happens within website's control.

This is not a correct assumption of the threat model. We see users regularly behind locally-configured proxies, whether for access purposes (e.g. sharing a metered connection), virus inspection, or for DLP purposes. Here, the intermediary cache works by TLS interception. We can't just assume it's origin-only, which I was trying to get at with [my previous message](https://github.com/whatwg/fetch/issues/1253#issuecomment-891980131)

> * If the intermediary cache leaks private data toward anonymous requests, then I would argue this already represent a security problem for the website, independently of `crossOriginIsolation`. If the intermediary cache keys responses using IP address, then the leak happens in between two users from the same local network, otherwise globally.

Yes, it does. That's the problem with assuming we can have separation without expressing that. This is the whole situation for origin servers omitting, for example, `Vary: Cookie`. Many existing caches have already implicitly assumed this behavior, but the point is to not create new situations where there's a bunch of implicit/undocumented behavior.

That's not to say we can't solve this, but that it requires care to make sure we're interoperating with the specifications, and adjusting them if needed.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1253#issuecomment-891989583