Re: Origin-scoped cache/cookie/storage context

On Thu, Jan 9, 2014 at 1:17 PM, Anne van Kesteren <> wrote:
> Currently within browsers the HTTP cache is shared across origins.
> E.g. can do timing attacks on a resource hosted on

This could be addressed by using the { origin of top-level browsing
context, resource URL } as the cache key instead of using just {
resource URL } as the cache key. This would result in cache misses for
stuff like tweet button images or jQuery loaded from a well-known
central location.

Have you tried to find out if the reason for the lack of such cache
partitioning by top-level origin is a matter of the issue not having
been a high enough priority to implement *yet* or an issue of
performance concern about the cache misses?

Henri Sivonen

Received on Friday, 10 January 2014 09:12:33 UTC