AppCache is a powerful feature on the web that permits a web page to be viewed offline. This increases the risk that a user is unaware of the source of the web page content when browsing over HTTP.
Besides fundamental issues with AppCache, which are summarized in this article [http://alistapart.com/article/application-cache-is-a-douchebag], AppCache increases the risk of a MitM attack to a user. The users cache persists with a device once they change to a different network. Example attack: Assume a user visits a website over an insecure WiFi network and the connection to the site was MitM’ed. The MitM injected it’s own content into the website and the browser then caches that content. The user decides not to enter their sensitive data whilst on an insecure network. The user then takes their device home and tries to visit the site over the internet provided by their ISP. The user now assumes they can enter sensitive information with less risk. But since the page content was cached over the insecure WiFi network, it will still be the malicious content from the attacker. The sensitive data entered is then sent to the attacker instead of the website. In addition, the cached content can also redirect the user to a secure web page owned by the attacker. For more explanations of the risks see Jake Archibald’s comment regarding AppCache issues: https://bugzilla.mozilla.org/show_bug.cgi?id=1237782#c34 Impact on the Web: Firefox 44 has started to provide a deprecation for all of AppCache: https://www.fxsitecompat.com/en-CA/docs/2016/application-cache-support-will-be-removed/ Chrome has previously shown intent to deprecate and remove AppCache for insecure origins, but for one reason or the other that didn’t happen: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/UKF8cK0EwMI Additionally, AppCache has been deprecated from the HTML standard:: https://html.spec.whatwg.org/multipage/offline.html#offline Developers are advised to use service workers instead of AppCache which are now supported in all major browser early releases including Safari Technology Preview! Websites will be required to use HTTPS to use service workers but websites will gain lots more functionality too. https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers In 2016 Chromes telemetry suggested “around 1.9% of all page loads use include an AppCache main page load event, but only 0.05% do that over an insecure origin”. Firefox telemetry suggests 0.02% in stable 57 for documents and 0.17% for pages (for secure and not secure): https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2018-01-03&keys=__none__!__none__!__none__&max_channel_version=release%252F57&measure=USE_COUNTER2_DEPRECATED_AppCache_PAGE&min_channel_version=null&processType=*&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2017-11-12&table=0&trim=1&use_submission_date=0 Given that we also just announced that usage statistics were over counting for use counters https://groups.google.com/forum/#!topic/mozilla.dev.platform/3pdSQtwOz5g I think this is a safe position to remove from insecure pages given the risks. Removal Implementation: Implementation is happening in: https://bugzilla.mozilla.org/show_bug.cgi?id=1354175 The intent in Firefox 60 is to ship a pref “browser.cache.offline.insecure.enable" to remove AppCache over insecure contexts. When the pref is set to false the API will be removed: - window.applicationCache will be removed - The cache service Firefox implements for AppCache will be disabled over Insecure Contexts When the pref is set to true the code will produce an additional developer console warning about the removal timeline. In Nightly and Early beta for 60; the pref will be set to false removing the API. In Firefox 62 Stable I plan to switch the pref to false if no further issues arise. Kind regards Jonathan Kingston _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
