- From: arturjanc <notifications@github.com>
- Date: Mon, 16 Jan 2023 10:24:59 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 16 January 2023 18:25:13 UTC
I think there's still some value in doing this, partly because partitioning is not aligned with the same-origin policy: in browsers with double-keyed cache cross-site iframes share the cache partition with the embedder, and even triple-keyed cache has site and not origin-level granularity, so documents from the same site share will indeed share the partition. That said, this behavior is mostly a convenience mechanism to invalidate the cache for a particular URL and if https://xsleaks.dev/docs/attacks/cache-probing/#invalidating-the-cache-with-errors is to be believed there are other known techniques to achieve this. Basically, I don't think fixing this will solve any XS-Leaks, it might just restrict same-partition attacks or require finding alternative cache eviction techniques -- so while it has non-zero positive value, it's probably not a super high-priority change. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/902#issuecomment-1384420458 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/902/1384420458@github.com>
Received on Monday, 16 January 2023 18:25:13 UTC