info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to Implement- Double-keyed HTTP cache
782 views
Skip to first unread message
Sebastian Streich
Aug 21, 2019, 1:40:08 PM8/21/19
to dev-pl...@lists.mozilla.org
Intent to Implement- Double-keyed HTTP cache
Summary:
Currently Browsers are vulnerable to cache-timing attacks, commonly
referred to as XS Leaks attacks. Starting with Firefox 70 we want to
explore a double-keyed HTTP cache. Instead of solely using the origin of
the resource, we will double key the HTTP Cache using the top-level origin.
Using the top-level origin as the 2nd Key in the HTTP Cache allows to
counterfeit XS Leaks and eliminates the ability of checking cache contents
across Origins.
Bug: Bugzilla 1536058
<https://bugzilla.mozilla.org/show_bug.cgi?id=1536058>
Standard: https://github.com/whatwg/fetch/issues/904
Platform coverage: all platforms
Estimated or target release: Firefox 70
Preference: The feature will be pref'd behind
“browser.cache.cache_isolation”
and disabled by default.
Other browsers:
webkit: shipped
Chrome <https://bugs.chromium.org/p/chromium/issues/detail?id=910708>:
implementing
web-platform-tests: <none yet>
Secure contexts: This feature isn’t restricted to Secure Contexts.
Estimated or target release: Firefox 70
Summary:
Currently Browsers are vulnerable to cache-timing attacks, commonly
referred to as XS Leaks attacks. Starting with Firefox 70 we want to
explore a double-keyed HTTP cache. Instead of solely using the origin of
the resource, we will double key the HTTP Cache using the top-level origin.
Using the top-level origin as the 2nd Key in the HTTP Cache allows to
counterfeit XS Leaks and eliminates the ability of checking cache contents
across Origins.
Bug: Bugzilla 1536058
<https://bugzilla.mozilla.org/show_bug.cgi?id=1536058>
Standard: https://github.com/whatwg/fetch/issues/904
Platform coverage: all platforms
Estimated or target release: Firefox 70
Preference: The feature will be pref'd behind
“browser.cache.cache_isolation”
and disabled by default.
Other browsers:
webkit: shipped
Chrome <https://bugs.chromium.org/p/chromium/issues/detail?id=910708>:
implementing
web-platform-tests: <none yet>
Secure contexts: This feature isn’t restricted to Secure Contexts.
Estimated or target release: Firefox 70
Martin Thomson
Aug 21, 2019, 10:26:55 PM8/21/19
to Sebastian Streich, Ehsan Akhgari, Anne van Kesteren, dev-platform
Hi Sebastian,
I'm glad to see us moving toward having better isolation in this way.
In discussions of this sort of keying strategy, the guidance I repeatedly
hear is that "double-keying" isn't sufficient and that you need to key on
the chain of origins. That is, if A frames B and C, and B in turn also
frames C, then the two C frames are isolated from each other in the same
way that they are isolated from a top-level C.
I took a look at both the fetch issue and your patch and it wasn't clear
what strategy we're using. As an aside, an issue on a repo isn't really a
specification. I couldn't find a PR on fetch either.
What is the tuple we're keying on?
Cheers,
Martin
On Thu, Aug 22, 2019 at 3:40 AM Sebastian Streich <sstr...@mozilla.com>
wrote:
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
I'm glad to see us moving toward having better isolation in this way.
In discussions of this sort of keying strategy, the guidance I repeatedly
hear is that "double-keying" isn't sufficient and that you need to key on
the chain of origins. That is, if A frames B and C, and B in turn also
frames C, then the two C frames are isolated from each other in the same
way that they are isolated from a top-level C.
I took a look at both the fetch issue and your patch and it wasn't clear
what strategy we're using. As an aside, an issue on a repo isn't really a
specification. I couldn't find a PR on fetch either.
What is the tuple we're keying on?
Cheers,
Martin
On Thu, Aug 22, 2019 at 3:40 AM Sebastian Streich <sstr...@mozilla.com>
wrote:
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
Anne van Kesteren
Aug 22, 2019, 4:12:34 AM8/22/19
to Martin Thomson, Sebastian Streich, Ehsan Akhgari, dev-platform
On Thu, Aug 22, 2019 at 4:26 AM Martin Thomson <m...@mozilla.com> wrote:
> What is the tuple we're keying on?
Top-level origin only. This still allows C to attack B in your
> What is the tuple we're keying on?
scenario (or vice versa). There's a variety of other side channel
attacks on "<iframe> sites" too, including various members of the
Window object, history.length, and clickjacking. It would also allow B
or C to attack A, though there's a number of other things possible
there too.
I definitely think it's worth figuring out how we can enable "<iframe>
sites" to better protect themselves as well as figuring out how to
improve sandboxing of "<iframe> sites", but it would require a broader
effort than caches I think. I think isolating by top-level origin is a
huge improvement over the status quo and stops a fair number of
practical attacks against major sites (modulo popup attacks, see
Cross-Origin-Opener-Policy for that). (Many of which you can't frame
to be clear, due to X-Frame-Options.)
d...@chromium.org
Aug 22, 2019, 9:33:03 AM8/22/19
to
On Thursday, August 22, 2019 at 11:26:55 AM UTC+9, Martin Thomson wrote:
> Hi Sebastian,
>
> I'm glad to see us moving toward having better isolation in this way.
>
> In discussions of this sort of keying strategy, the guidance I repeatedly
> hear is that "double-keying" isn't sufficient and that you need to key on
> the chain of origins. That is, if A frames B and C, and B in turn also
> frames C, then the two C frames are isolated from each other in the same
> way that they are isolated from a top-level C.
>
> I took a look at both the fetch issue and your patch and it wasn't clear
> what strategy we're using. As an aside, an issue on a repo isn't really a
> specification. I couldn't find a PR on fetch either.
For what its worth, browsers are also discussing what changes will need to be made for certain requests (like prefetch) in a double-keyed world. See [1], and the associated HTML Standard PR [2]. But you're right, there doesn't seem to be a real spec change at the moment for double-keyed cache itself from what I know.
> Hi Sebastian,
>
> I'm glad to see us moving toward having better isolation in this way.
>
> In discussions of this sort of keying strategy, the guidance I repeatedly
> hear is that "double-keying" isn't sufficient and that you need to key on
> the chain of origins. That is, if A frames B and C, and B in turn also
> frames C, then the two C frames are isolated from each other in the same
> way that they are isolated from a top-level C.
>
> I took a look at both the fetch issue and your patch and it wasn't clear
> what strategy we're using. As an aside, an issue on a repo isn't really a
> specification. I couldn't find a PR on fetch either.
]1]: https://github.com/w3c/resource-hints/issues/82
[2]: https://github.com/whatwg/html/pull/4115
Anne van Kesteren
Nov 13, 2019, 10:20:08 AM11/13/19
to Sebastian Streich, dev-platform
On Wed, Aug 21, 2019 at 7:40 PM Sebastian Streich <sstr...@mozilla.com> wrote:
> Estimated or target release: Firefox 70
The plan is to enable this on Firefox 72 Nightly to see if there's any
> Estimated or target release: Firefox 70
fallout that needs addressing. It will not ride the trains. This is
tracked by https://bugzilla.mozilla.org/show_bug.cgi?id=1594004.
As network caches in general are a privacy and security concern, we're
tracking isolating all of them using the top-level origin in
https://bugzilla.mozilla.org/show_bug.cgi?id=1590107. If there are
further caches that could use such isolation, please do file a bug
blocking that bug.
0 new messages