How to still cache across sites
How to still cache across sites
Posted Feb 1, 2021 10:38 UTC (Mon) by excors (subscriber, #95769)In reply to: How to still cache across sites by ras
Parent article: Firefox 85 released
I believe that's only a subset of what they're trying to defend against. E.g. the cache isolation feature was discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=1536058 because of an attack that depends only on cached vs uncached load timing. One developer says cache isolation "is a long-term anti-tracking goal too (in order to prevent ETag-based tracking vectors) so this gives us yet another privacy related reason for doing so", so they had already been thinking about this more general solution. There's also stuff like https://github.com/w3c/server-timing/issues/67 where a cached HTTP header can be used as an identifier (which wouldn't be protected by your scheme if you're hashing just the response's body; and you probably can't hash headers without breaking HTTP proxies).
The specific attack mentioned in Mozilla's blog post could be prevented in other cheaper ways, but that would do nothing against a lot of other published and yet-to-be-discovered attacks, so they went with cache isolation to prevent all those different methods (including the timing ones) at once.
Posted Feb 1, 2021 11:16 UTC (Mon)
by ras (subscriber, #33059)
[Link]
Sigh. I hadn't thought of headers. But this is a new sort of fetch, and for this sort you could say "you don't get access to no stink'in headers". Or perhaps just you get access to harmless pre-defined set, similar to what CORS allows.
In any case this can't be a replacement as not everything is immutable. You still need to do the cache isolation for the non-immutable stuff. It can only be an addition that elminates the impacts of the cache isolation for stuff that doesn't need it.
How to still cache across sites