Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Privacy consideration about the "cache" parameter of the Request object #585
(Copied from #398 (comment))
Let's start reviewing new functionalities carefully from security point of view.
I'm concerned that fetch() with the cache parameter set to e.g. the only-if-cached option may cause privacy leak. Like CSS :visited (http://dbaron.org/mozilla/visited-privacy), could it be abused to probe if a certain site was visited by the user?
changed the title from
Security consideration about the `cache` parameter of `Request`
Privacy consideration about the `cache` parameter of `Request`
Dec 10, 2014
same-origin makes sense if it's a significant attack. I'm not sure it is -- how is this qualitatively different than timing the cache, or just examining the Date in the response (subject to clock skew)?
AFAICT the only differences are:
For cross-origin 'without credentials' (the default) XHRs Gecko is using a distinct cache area called 'anonymous'. There is more - the anonymous context means to not send out any authorization headers, cookies, and to not use the standard cache (that is populated when you visit the page/load the resource as part of the page content.)
We could do the same here?