Hi Sebastian,

I'm glad to see us moving toward having better isolation in this way.

In discussions of this sort of keying strategy, the guidance I repeatedly
hear is that "double-keying" isn't sufficient and that you need to key on
the chain of origins.  That is, if A frames B and C, and B in turn also
frames C, then the two C frames are isolated from each other in the same
way that they are isolated from a top-level C.

I took a look at both the fetch issue and your patch and it wasn't clear
what strategy we're using.  As an aside, an issue on a repo isn't really a
specification.  I couldn't find a PR on fetch either.

What is the tuple we're keying on?

Cheers,
Martin

On Thu, Aug 22, 2019 at 3:40 AM Sebastian Streich <sstre...@mozilla.com>
wrote:

> Intent to Implement- Double-keyed HTTP cache
>
>
> Summary:
>
> Currently Browsers are vulnerable to cache-timing attacks, commonly
> referred to as XS Leaks attacks. Starting with Firefox 70 we want to
> explore a double-keyed HTTP cache. Instead of solely using the origin of
> the resource, we will double key the HTTP Cache using the top-level origin.
> Using the top-level origin as the 2nd Key in the HTTP Cache allows to
> counterfeit XS Leaks and eliminates the ability of checking cache contents
> across Origins.
>
> Bug:                  Bugzilla 1536058
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1536058>
>
> Standard:             https://github.com/whatwg/fetch/issues/904
>
> Platform coverage:         all platforms
>
> Estimated or target release:     Firefox 70
>
> Preference:             The feature will be pref'd behind
> “browser.cache.cache_isolation”
>
>      and disabled by default.
>
> Other browsers:
>
> webkit: shipped
>
> Chrome <https://bugs.chromium.org/p/chromium/issues/detail?id=910708>:
> implementing
>
> web-platform-tests:         <none yet>
>
> Secure contexts:          This feature isn’t restricted to Secure Contexts.
> Estimated or target release:     Firefox 70
> _______________________________________________
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to