Splits the HTTP cache using the top frame origin (and possibly subframe origin) to prevent documents from one origin from knowing whether a resource from another origin was cached. The HTTP cache is currently one per profile, with a single namespace for all resources and subresources regardless of origin or renderer process. Splitting the cache on top frame origins helps the browser deflect side-channel attacks where one site can detect resources in another site’s cache.
Motivation
Cache attacks can lead to the following leaks: - Detect if a user has visited a specific site: If the cached resource is specific to a particular site or to a particular cohort of sites, an adversary can detect user’s browsing history by checking if the cache has that resource. - Cross-site search attack: There exist cross site search attack proofs-of-concept which exploit the fact that some popular sites load a specific image when a search result is empty. By opening a tab and performing a search and then checking for that image in the cache, an adversary can detect if an arbitrary string is in the user’s search results.
Documentation
Status in Chromium
In developer trial (Behind a flag) (tracking bug) in:
- Chrome for desktop release 77
- Chrome for Android release 77
- Android WebView release 77
Consensus & Standardization
- Positive
- No signal
- Positive
- No signals
Owners
Last updated on 2020-12-21