info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to Unship: Application Cache over Insecure Contexts
445 views
Skip to first unread message
Jonathan Kingston
Jan 18, 2018, 6:14:10 PM1/18/18
to dev-platform
AppCache is a powerful feature on the web that permits a web page to be
viewed offline. This increases the risk that a user is unaware of the
source of the web page content when browsing over HTTP.
Besides fundamental issues with AppCache, which are summarized in this
article [http://alistapart.com/article/application-cache-is-a-douchebag],
AppCache increases the risk of a MitM attack to a user. The users cache
persists with a device once they change to a different network.
Example attack: Assume a user visits a website over an insecure WiFi
network and the connection to the site was MitM’ed. The MitM injected it’s
own content into the website and the browser then caches that content. The
user decides not to enter their sensitive data whilst on an insecure
network. The user then takes their device home and tries to visit the site
over the internet provided by their ISP. The user now assumes they can
enter sensitive information with less risk. But since the page content was
cached over the insecure WiFi network, it will still be the malicious
content from the attacker. The sensitive data entered is then sent to the
attacker instead of the website. In addition, the cached content can also
redirect the user to a secure web page owned by the attacker.
For more explanations of the risks see Jake Archibald’s comment regarding
AppCache issues:
https://bugzilla.mozilla.org/show_bug.cgi?id=1237782#c34
Impact on the Web:
Firefox 44 has started to provide a deprecation for all of AppCache:
https://www.fxsitecompat.com/en-CA/docs/2016/application-
cache-support-will-be-removed/
Chrome has previously shown intent to deprecate and remove AppCache for
insecure origins, but for one reason or the other that didn’t happen:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/UKF8cK0EwMI
Additionally, AppCache has been deprecated from the HTML standard::
https://html.spec.whatwg.org/multipage/offline.html#offline
Developers are advised to use service workers instead of AppCache which are
now supported in all major browser early releases including Safari
Technology Preview! Websites will be required to use HTTPS to use service
workers but websites will gain lots more functionality too.
https://developer.mozilla.org/en-US/docs/Web/API/Service_
Worker_API/Using_Service_Workers
In 2016 Chromes telemetry suggested “around 1.9% of all page loads use
include an AppCache main page load event, but only 0.05% do that over an
insecure origin”.
Firefox telemetry suggests 0.02% in stable 57 for documents and 0.17% for
pages (for secure and not secure): https://telemetry.mozilla.org/
new-pipeline/dist.html#!cumulative=0&end_date=2018-01-
03&keys=__none__!__none__!__none__&max_channel_version=
release%252F57&measure=USE_COUNTER2_DEPRECATED_AppCache_
PAGE&min_channel_version=null&processType=*&product=Firefox&
sanitize=1&sort_keys=submissions&start_date=2017-11-12&table=0&trim=1&use_
submission_date=0
Given that we also just announced that usage statistics were over counting
for use counters https://groups.google.com/forum/#!topic/mozilla.dev.
platform/3pdSQtwOz5g I think this is a safe position to remove from
insecure pages given the risks.
Removal Implementation:
Implementation is happening in: https://bugzilla.mozilla.org/
show_bug.cgi?id=1354175
The intent in Firefox 60 is to ship a pref
“browser.cache.offline.insecure.enable"
to remove AppCache over insecure contexts.
When the pref is set to false the API will be removed:
-
window.applicationCache will be removed
-
The cache service Firefox implements for AppCache will be disabled over
Insecure Contexts
When the pref is set to true the code will produce an additional developer
console warning about the removal timeline.
In Nightly and Early beta for 60; the pref will be set to false removing
the API.
In Firefox 62 Stable I plan to switch the pref to false if no further
issues arise.
Kind regards
Jonathan
Resending notice as it didn't reach the Google group.
viewed offline. This increases the risk that a user is unaware of the
source of the web page content when browsing over HTTP.
Besides fundamental issues with AppCache, which are summarized in this
article [http://alistapart.com/article/application-cache-is-a-douchebag],
AppCache increases the risk of a MitM attack to a user. The users cache
persists with a device once they change to a different network.
Example attack: Assume a user visits a website over an insecure WiFi
network and the connection to the site was MitM’ed. The MitM injected it’s
own content into the website and the browser then caches that content. The
user decides not to enter their sensitive data whilst on an insecure
network. The user then takes their device home and tries to visit the site
over the internet provided by their ISP. The user now assumes they can
enter sensitive information with less risk. But since the page content was
cached over the insecure WiFi network, it will still be the malicious
content from the attacker. The sensitive data entered is then sent to the
attacker instead of the website. In addition, the cached content can also
redirect the user to a secure web page owned by the attacker.
For more explanations of the risks see Jake Archibald’s comment regarding
AppCache issues:
https://bugzilla.mozilla.org/show_bug.cgi?id=1237782#c34
Impact on the Web:
Firefox 44 has started to provide a deprecation for all of AppCache:
https://www.fxsitecompat.com/en-CA/docs/2016/application-
cache-support-will-be-removed/
Chrome has previously shown intent to deprecate and remove AppCache for
insecure origins, but for one reason or the other that didn’t happen:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/UKF8cK0EwMI
Additionally, AppCache has been deprecated from the HTML standard::
https://html.spec.whatwg.org/multipage/offline.html#offline
Developers are advised to use service workers instead of AppCache which are
now supported in all major browser early releases including Safari
Technology Preview! Websites will be required to use HTTPS to use service
workers but websites will gain lots more functionality too.
https://developer.mozilla.org/en-US/docs/Web/API/Service_
Worker_API/Using_Service_Workers
In 2016 Chromes telemetry suggested “around 1.9% of all page loads use
include an AppCache main page load event, but only 0.05% do that over an
insecure origin”.
Firefox telemetry suggests 0.02% in stable 57 for documents and 0.17% for
pages (for secure and not secure): https://telemetry.mozilla.org/
new-pipeline/dist.html#!cumulative=0&end_date=2018-01-
03&keys=__none__!__none__!__none__&max_channel_version=
release%252F57&measure=USE_COUNTER2_DEPRECATED_AppCache_
PAGE&min_channel_version=null&processType=*&product=Firefox&
sanitize=1&sort_keys=submissions&start_date=2017-11-12&table=0&trim=1&use_
submission_date=0
Given that we also just announced that usage statistics were over counting
for use counters https://groups.google.com/forum/#!topic/mozilla.dev.
platform/3pdSQtwOz5g I think this is a safe position to remove from
insecure pages given the risks.
Removal Implementation:
Implementation is happening in: https://bugzilla.mozilla.org/
show_bug.cgi?id=1354175
The intent in Firefox 60 is to ship a pref
“browser.cache.offline.insecure.enable"
to remove AppCache over insecure contexts.
When the pref is set to false the API will be removed:
-
window.applicationCache will be removed
-
The cache service Firefox implements for AppCache will be disabled over
Insecure Contexts
When the pref is set to true the code will produce an additional developer
console warning about the removal timeline.
In Nightly and Early beta for 60; the pref will be set to false removing
the API.
In Firefox 62 Stable I plan to switch the pref to false if no further
issues arise.
Kind regards
Jonathan
Resending notice as it didn't reach the Google group.
Mike Taylor
Jan 19, 2018, 12:26:55 PM1/19/18
to Jonathan Kingston, dev-platform
Hi Jonathan,
> On Jan 18, 2018, at 5:13 PM, Jonathan Kingston <j...@mozilla.com> wrote:
>
> The intent in Firefox 60 is to ship a pref
> “browser.cache.offline.insecure.enable"
> to remove AppCache over insecure contexts.
>
> When the pref is set to false the API will be removed:
>
> -
>
> window.applicationCache will be removed
> -
>
> The cache service Firefox implements for AppCache will be disabled over
> Insecure Contexts
>
>
> When the pref is set to true the code will produce an additional developer
> console warning about the removal timeline.
>
> In Nightly and Early beta for 60; the pref will be set to false removing
> the API.
It will be interesting to see if we get reports of pages (that don’t feature test) throwing with the missing applicationCache global. A few years (and laptops) ago I had done some site corpus grepping — I’ll see if I can find any of that data.
Later,
--
Mike Taylor
Web Compat, Mozilla
> On Jan 18, 2018, at 5:13 PM, Jonathan Kingston <j...@mozilla.com> wrote:
>
> The intent in Firefox 60 is to ship a pref
> “browser.cache.offline.insecure.enable"
> to remove AppCache over insecure contexts.
>
> When the pref is set to false the API will be removed:
>
> -
>
> window.applicationCache will be removed
> -
>
> The cache service Firefox implements for AppCache will be disabled over
> Insecure Contexts
>
>
> When the pref is set to true the code will produce an additional developer
> console warning about the removal timeline.
>
> In Nightly and Early beta for 60; the pref will be set to false removing
> the API.
Later,
--
Mike Taylor
Web Compat, Mozilla
Ben Kelly
Jan 19, 2018, 12:48:05 PM1/19/18
to Mike Taylor, dev-platform, Jonathan Kingston
On Fri, Jan 19, 2018 at 12:26 PM, Mike Taylor <mi...@mozilla.com> wrote:
> > When the pref is set to false the API will be removed:
> >
> > -
> >
> > window.applicationCache will be removed
> > -
> >
> > The cache service Firefox implements for AppCache will be disabled over
> > Insecure Contexts
> >
> >
> > When the pref is set to true the code will produce an additional
> developer
> > console warning about the removal timeline.
> >
> > In Nightly and Early beta for 60; the pref will be set to false removing
> > the API.
>
> It will be interesting to see if we get reports of pages (that don’t
> feature test) throwing with the missing applicationCache global. A few
> years (and laptops) ago I had done some site corpus grepping — I’ll see if
> I can find any of that data.
>
Its been suggested before that we could leave the applicationCache global
> > When the pref is set to false the API will be removed:
> >
> > -
> >
> > window.applicationCache will be removed
> > -
> >
> > The cache service Firefox implements for AppCache will be disabled over
> > Insecure Contexts
> >
> >
> > When the pref is set to true the code will produce an additional
> developer
> > console warning about the removal timeline.
> >
> > In Nightly and Early beta for 60; the pref will be set to false removing
> > the API.
>
> It will be interesting to see if we get reports of pages (that don’t
> feature test) throwing with the missing applicationCache global. A few
> years (and laptops) ago I had done some site corpus grepping — I’ll see if
> I can find any of that data.
>
in place, but just make it do nothing in insecure contexts.
Jonathan Kingston
Jan 19, 2018, 1:55:52 PM1/19/18
to Ben Kelly, dev-platform, Mike Taylor
> Its been suggested before that we could leave the applicationCache global
in place, but just make it do nothing in insecure contexts.
I did see this idea of keeping the applicationCache global in one of the
in place, but just make it do nothing in insecure contexts.
bugs, I think if we have breakage we could try this as a follow up piece of
work along with other approaches like expiring the cache more often.
Jonathan Kingston
Feb 2, 2018, 9:58:42 AM2/2/18
to Ben Kelly, dev-platform, Mike Taylor
This has now landed into central and appears to be sticking:
https://www.fxsitecompat.com/en-CA/docs/2018/support-for-application-cache-on-insecure-sites-has-been-deprecated/
I have filed a follow up bug to remove "OfflineResourceList" interface we
use: https://bugzilla.mozilla.org/show_bug.cgi?id=1435261
Also Anne filed a bug on the standard as it appears other browsers are
interested now in doing the same: https://github.com/whatwg/html/issues/3440
This also means we can move the tests into Web Platform Tests to ensure all
browsers implement the same.
https://www.fxsitecompat.com/en-CA/docs/2018/support-for-application-cache-on-insecure-sites-has-been-deprecated/
I have filed a follow up bug to remove "OfflineResourceList" interface we
use: https://bugzilla.mozilla.org/show_bug.cgi?id=1435261
Also Anne filed a bug on the standard as it appears other browsers are
interested now in doing the same: https://github.com/whatwg/html/issues/3440
This also means we can move the tests into Web Platform Tests to ensure all
browsers implement the same.
Jonathan Kingston
May 10, 2018, 12:02:35 PM5/10/18
to dev-platform
As the removal has rode the trains through Beta without issue I'm going to
remove AppCache over insecure contexts for stable as originally stated for
62.
The work is happening here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1460478
Mike west did a wonderful job of adding web-platform-tests thank you!
https://github.com/w3c/web-platform-tests/commit/bf17459a71ff4d1ea280bae54dd046ecf86e0628
remove AppCache over insecure contexts for stable as originally stated for
62.
The work is happening here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1460478
Mike west did a wonderful job of adding web-platform-tests thank you!
https://github.com/w3c/web-platform-tests/commit/bf17459a71ff4d1ea280bae54dd046ecf86e0628
0 new messages