This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 28009 - Cross-origin privacy leakage through Application Cache
Summary: Cross-origin privacy leakage through Application Cache
Status: RESOLVED MOVED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: All All
: P2 major
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-13 11:19 UTC by Sangho Lee
Modified: 2019-03-29 19:09 UTC (History)
3 users (show)

See Also:

Attachments
Paper describing the security problem (618.87 KB, application/pdf)
2015-02-13 11:19 UTC, Sangho Lee 		Details

Description Sangho Lee 2015-02-13 11:19:12 UTC 
Created attachment 1573 [details]
Paper describing the security problem

AppCache allows a web application to recognize whether a caching attempt of a web browser succeeds or fails.
However, a malicious web application can exploit this feature to determine whether a victim web browser has a right to access specific cross-origin resources, which is a serious privacy problem.

The details of this attack were presented at Network and Distributed System Security (NDSS) Symposium at Feb. 9, 2015.

http://www.internetsociety.org/doc/identifying-cross-origin-resource-status-using-application-cache


As explained in the paper solving this problem is difficult, so I think that either Origin or Cache-Origin header is necessary to restrict cross-origin AppCache.
Comment 1 Anne 2015-09-02 09:12:37 UTC 
The plan of record is to remove appcache once service workers ships. It's already being deprecated.
Comment 2 Domenic Denicola 2019-03-29 19:09:05 UTC 
https://github.com/whatwg/html/issues/151