Splits the HTTP cache using the top frame site and subframe site (where site = scheme://etld+1) to prevent documents from one site from knowing whether a resource from another site was cached. The HTTP cache is currently one per profile, with a single namespace for all resources and subresources regardless of origin or renderer process. Splitting the cache on top frame site helps the browser deflect side-channel attacks where one site can detect resources in another site’s cache.

Motivation

Cache attacks can lead to the following leaks: - Detect if a user has visited a specific site: If the cached resource is specific to a particular site or to a particular cohort of sites, an adversary can detect user’s browsing history by checking if the cache has that resource. - Cross-site search attack: There exist cross site search attack proofs-of-concept which exploit the fact that some popular sites load a specific image when a search result is empty. By opening a tab and performing a search and then checking for that image in the cache, an adversary can detect if an arbitrary string is in the user’s search results.

Documentation

• Threat Model: https://docs.google.com/document/d/1U5zqfaJCFj_URrAmSxJ0C7z0AilLLJ30lgAqShVWnck/edit?usp=sharing
• Design doc:
• https://docs.google.com/document/d/1XJMm89oyd4lJ-LDQuy0CudzBn1TaK0pE-acnfJ-A4vk/edit?usp=sharing

Status in Chromium

Blink components: Blink>Network

Enabled by default (tracking bug) in:

• Chrome for desktop release 77
• Chrome for Android release 77
• Android WebView release 77

Consensus & Standardization

• Firefox: Positive
• Edge: No signal
• Safari: Positive
• Web Developers: No signals

Owners

• shivanisha@chromium.org
• jkarlin@chromium.org

Last updated on 2021-03-22