Origin-scoped cache/cookie/storage context

Currently within browsers the HTTP cache is shared across origins.
E.g. nsa.gov can do timing attacks on a resource hosted on
notforthensa.org. Similarly when evil.com fetches a resource on
authenticated.com, credentials will be included in the request if I
was in fact authenticated to authenticated.com through a cookie or
HTTP authentication.

Outside of the browser context, means have been provided to not share
these things. E.g. a Firefox OS hosted web app has no shared context.
If you are authenticated to Facebook, you would need to
re-authenticate within the app. Opera Widgets had the same back in the
day (primarily because you could do cross-origin XMLHttpRequest
without CORS).

It might be worth giving this feature to web pages.

It would provide defense-in-depth and has some similar capabilities to
From-Origin in that you can no longer do timing attacks or test
whether a fetch returns an image or an error depending on whether you
are authenticated.


Received on Thursday, 9 January 2014 11:18:02 UTC