AppCache: Resource override scope checking

Manifests previously allowed overriding any URL within a given origin. Scope checking is being introduced to ensure only URLs within a manifest's scope can be overridden. The default manifest scope will be the path to the manifest's enclosing directory. Sites that desire a manifest be given a broader scope can add a response header "X-AppCache-Allowed: /" to manifest responses to preserve the previous behavior.

Chromium's AppCache implementation supports non-spec-compliant resource overrides in the CHROMIUM-INTERCEPT and FALLBACK manifest sections. Recently we discovered complicating security issues due to this support and so we're adding the concept of a scope to the AppCache manifest to ensure that only resources that fall within that scope are allowed to be overridden. Introducing these measures in this way allows mitigating the security issue while retaining the functionality sites expect. If a site requires the previous behavior of an origin-wide manifest scope, sites can add a response header "X-AppCache-Allowed: /" to manifest responses.

Documentation

Specification

No public standards discussion

Status in Chromium

Blink>Storage>AppCache


Enabled by default (tracking bug) in:

  • Chrome for desktop release 80
  • Chrome for Android release 80
  • Android WebView release 80

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No public signals
  • No public signals
  • No public signals
  • No signals

Owners

Last updated on 2020-05-19