Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cache poisoning doesn't just affect shared caches #730

Closed
martinthomson opened this issue Feb 1, 2021 · 0 comments · Fixed by #757
Closed

Cache poisoning doesn't just affect shared caches #730

martinthomson opened this issue Feb 1, 2021 · 0 comments · Fixed by #757
Assignees
@mnot
Labels
caching has-proposal

Comments

@martinthomson
Copy link
Contributor

A private cache that can be manipulated so that it mistakenly creates a cache entry might not have the reach of a shared cache, but it can still be a problem. Cache poisoning occurs when a cache can be written to by an entity other than the one that the cache would normally recognize as being authorized to write to it.

Take the websocket poisoning where a cache misread a websocket stream as HTTP queries and established cached records under arbitrary origins. This would allow for poisoning of entries normally not controlled by the host that was using the websocket. Even though that might have been a single user affected by the poisoning, the effect was serious enough and motivated the inclusion of masking in websocket.
@mnot mnot self-assigned this Feb 2, 2021
@mnot mnot added the caching label Feb 3, 2021
@mnot mnot mentioned this issue Feb 10, 2021
Merged
reschke added a commit that referenced this issue Feb 17, 2021
@reschke
fix changelog (#730)
0ba20d7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mnot mnot

Labels
caching has-proposal
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Broaden cache poisoning httpwg/http-core
2 participants
@martinthomson @mnot