- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 9 Jan 2014 11:17:32 +0000
- To: WebAppSec WG <public-webappsec@w3.org>
- Cc: TAG <www-tag@w3.org>
Currently within browsers the HTTP cache is shared across origins. E.g. nsa.gov can do timing attacks on a resource hosted on notforthensa.org. Similarly when evil.com fetches a resource on authenticated.com, credentials will be included in the request if I was in fact authenticated to authenticated.com through a cookie or HTTP authentication. Outside of the browser context, means have been provided to not share these things. E.g. a Firefox OS hosted web app has no shared context. If you are authenticated to Facebook, you would need to re-authenticate within the app. Opera Widgets had the same back in the day (primarily because you could do cross-origin XMLHttpRequest without CORS). It might be worth giving this feature to web pages. It would provide defense-in-depth and has some similar capabilities to From-Origin in that you can no longer do timing attacks or test whether a fetch returns an image or an error depending on whether you are authenticated. -- http://annevankesteren.nl/
Received on Thursday, 9 January 2014 11:18:01 UTC