W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Origin-scoped cache/cookie/storage context

From: Henri Sivonen <hsivonen@hsivonen.fi>
Date: Fri, 10 Jan 2014 11:12:02 +0200
Message-ID: <CANXqsRL70J-n9fgEWicm=TX4vuTtWq8b=ZAixsibh1XbK3MMaA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, TAG <www-tag@w3.org>
On Thu, Jan 9, 2014 at 1:17 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> Currently within browsers the HTTP cache is shared across origins.
> E.g. nsa.gov can do timing attacks on a resource hosted on
> notforthensa.org.

This could be addressed by using the { origin of top-level browsing
context, resource URL } as the cache key instead of using just {
resource URL } as the cache key. This would result in cache misses for
stuff like tweet button images or jQuery loaded from a well-known
central location.

Have you tried to find out if the reason for the lack of such cache
partitioning by top-level origin is a matter of the issue not having
been a high enough priority to implement *yet* or an issue of
performance concern about the cache misses?

Henri Sivonen
Received on Friday, 10 January 2014 09:12:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:36 UTC