How to still cache across sites

Posted Jan 27, 2021 10:53 UTC (Wed) by leromarinvit (subscriber, #56850)
In reply to: How to still cache across sites by pabs
Parent article: Firefox 85 released

Wouldn't that potentially open a different covert channel, where the server intentionally delays the image by a known time, and the other site reads information from getting the same delay?

How to still cache across sites

Posted Jan 27, 2021 12:16 UTC (Wed) by excors (subscriber, #95769) [Link] (2 responses)

Yeah, I think you could just set up a server that randomly pauses for 0 or 1 seconds before returning a small image, then a site can request N different images and time them to get a unique N-bit ID, and another site can request the same set of images and (if the timings were copied from the browser's cache) would get precisely the same ID. That's even easier than the previously suggested approach, because a site can read the ID without destroying the cache state and having to actively rewrite it each time.

(These are very coarse timings so the Spectre mitigation of eliminating high-resolution timing APIs in JavaScript won't help here. And I suspect browsers can't prevent scripts from observing when a cross-origin resource has finished loading, without massively breaking compatibility with large parts of the web (which would be unacceptable): embedding external images is very common, and there's lots of widely-used APIs that can observe the on-screen layout of the page, and the layout will necessarily change once the image is loaded. So they can't stop scripts measuring the timing, they just have to stop that timing being able to pass information between different sites.)

How to still cache across sites

Posted Jan 30, 2021 2:13 UTC (Sat) by NYKevin (subscriber, #129325) [Link] (1 responses)

> and there's lots of widely-used APIs that can observe the on-screen layout of the page, and the layout will necessarily change once the image is loaded.

I have often wished that those APIs were *less* powerful, honestly.

There are two use cases for the modern web:

1. The interchange of hypertext documents.
2. Web applications

#2 has an obvious need for fine control over how pages are laid out. However, for case #1, such fine control is (usually) considered an anti-pattern, as the whole point of hypertext is that it can be rescaled or reshaped automatically to fit the client's specific presentation needs.

What really frustrates me is the widespread misuse of APIs (that were clearly intended for case #2) in ways that make case #1 more obnoxious (for lack of a better term). In the 90's and early 2000's, popups were basically obliterated after browsers started systematically blocking them. Today, they're back, but now they're embedded in the page and significantly more annoying (because they're modal). Another common problem is the constant page reflowing as ads and other crap from every random corner of the web gradually pops itself into the DOM. I really would like to be able to just read the damn text without it constantly jumping around.

IMHO the gradual extension of HTML to accommodate these APIs was necessary (because Java and Flash were both terrible) but I still wish we had found a better way of cleanly separating case #1 from case #2. AMP was/is Google's attempt to do this, but everyone hated it for being not-HTML and for its obvious monopolistic tendencies, so I have no idea where that leaves us.

(Disclaimer: I work for Google, but not on anything related to web frontends or AMP.)

How to still cache across sites

Posted Jan 30, 2021 17:47 UTC (Sat) by Wol (subscriber, #4433) [Link]

> What really frustrates me is the widespread misuse of APIs (that were clearly intended for case #2) in ways that make case #1 more obnoxious (for lack of a better term)

All too often I go to print a web page and (when I hit "print preview", because I've learnt) it bears ABSOLUTELY NO RESEMBLANCE WHATSOEVER to what's displayed on screen.

Cheers,
Wol