Hi Sebastian, I'm glad to see us moving toward having better isolation in this way.
In discussions of this sort of keying strategy, the guidance I repeatedly hear is that "double-keying" isn't sufficient and that you need to key on the chain of origins. That is, if A frames B and C, and B in turn also frames C, then the two C frames are isolated from each other in the same way that they are isolated from a top-level C. I took a look at both the fetch issue and your patch and it wasn't clear what strategy we're using. As an aside, an issue on a repo isn't really a specification. I couldn't find a PR on fetch either. What is the tuple we're keying on? Cheers, Martin On Thu, Aug 22, 2019 at 3:40 AM Sebastian Streich <sstre...@mozilla.com> wrote: > Intent to Implement- Double-keyed HTTP cache > > > Summary: > > Currently Browsers are vulnerable to cache-timing attacks, commonly > referred to as XS Leaks attacks. Starting with Firefox 70 we want to > explore a double-keyed HTTP cache. Instead of solely using the origin of > the resource, we will double key the HTTP Cache using the top-level origin. > Using the top-level origin as the 2nd Key in the HTTP Cache allows to > counterfeit XS Leaks and eliminates the ability of checking cache contents > across Origins. > > Bug: Bugzilla 1536058 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1536058> > > Standard: https://github.com/whatwg/fetch/issues/904 > > Platform coverage: all platforms > > Estimated or target release: Firefox 70 > > Preference: The feature will be pref'd behind > “browser.cache.cache_isolation” > > and disabled by default. > > Other browsers: > > webkit: shipped > > Chrome <https://bugs.chromium.org/p/chromium/issues/detail?id=910708>: > implementing > > web-platform-tests: <none yet> > > Secure contexts: This feature isn’t restricted to Secure Contexts. > Estimated or target release: Firefox 70 > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
