Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Partitioned HTTP Cache Bypass #106

Merged
merged 5 commits into from
May 1, 2021
Merged

Added Partitioned HTTP Cache Bypass #106

merged 5 commits into from
May 1, 2021

Conversation

NDevTK
Copy link
Contributor

@NDevTK NDevTK commented Feb 19, 2021

No description provided.

@terjanq terjanq closed this Feb 19, 2021
@terjanq terjanq reopened this Feb 19, 2021
Copy link
Member

@terjanq terjanq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the pull request! Added three comments.

content/docs/attacks/navigations.md Outdated Show resolved Hide resolved
content/docs/attacks/navigations.md Outdated Show resolved Hide resolved
content/docs/attacks/navigations.md Outdated Show resolved Hide resolved
@NDevTK NDevTK requested a review from terjanq February 20, 2021 03:56
@NDevTK
Copy link
Contributor Author

NDevTK commented Feb 23, 2021

@terjanq I made the changes.

@NDevTK
Copy link
Contributor Author

NDevTK commented Apr 21, 2021

@terjanq is there a reason this never got added?

@terjanq
Copy link
Member

terjanq commented Apr 26, 2021

Hey, as mentioned in the other PR I am busy recently so that was the main reason it wasn't added yet. It's not clear to me why it's working from the bypass description. I'd need to dive deeper into how partitioned cache currently works and whether it's an intended bypass or something the browser should fix (I'd guess the latter). Also, I didn't quite understand the example.

My bet is that it is what happens:

  • A key for the partitioned cache is in the form of the triple (top_frame, parent_frame, resource)
  • If //example.org loads a resource //example.org/img.png then the key would be (example.org, example.org, example.org/img.png), but when we directly visit the resource then the key is also (example.org, example.org, example.org/img.png) because top_frame === parent_frame.

If you have time to confirm that, it would be great, otherwise, when I get more time I will reach out to folks that implemented this to ask a few questions. It's a nice finding and I think that's something browsers would want to fix!

@NDevTK
Copy link
Contributor Author

NDevTK commented Apr 26, 2021

@terjanq (I dont think I need to put this here as your a "participant" for this issue but I did it anyway)

I think your right but you might want to check.

This is an example of how the network_isolation_key changes using chrome://net-export

Normal request by page to image.
{"params":{"initiator":"https://http.cat","load_flags":<Removed>,"method":"GET","network_isolation_key":"https://http.cat https://http.cat","privacy_mode":"disabled","request_type":"other","site_for_cookies":"SiteForCookies: {site=https://http.cat; schemefully_same=true}","url":"https://http.cat/images/200.jpg"},"phase":1,"source":{"id":<Removed>,"start_time":"<Removed>","type":1},"time":"<Removed>","type":100}

Direct .location change to image from different initiator, has same network_isolation_key as above.
{"params":{"initiator":"https://example.com","load_flags":<Removed>,"method":"GET","network_isolation_key":"https://http.cat https://http.cat","privacy_mode":"disabled","request_type":"main frame","site_for_cookies":"SiteForCookies: {site=https://http.cat; schemefully_same=true}","url":"https://http.cat/images/200.jpg"},"phase":1,"source":{"id":<Removed>,"start_time":"<Removed>","type":1},"time":"<Removed>","type":100}

www.example.org is the same key as example.org (eTLD+1)
{"params":{"initiator":"https://www.example.com","load_flags":<Removed>,"method":"GET","network_isolation_key":"https://example.org https://example.org","privacy_mode":"disabled","request_type":"main frame","site_for_cookies":"SiteForCookies: {site=https://example.org; schemefully_same=true}","url":"https://www.example.org/"},"phase":1,"source":{"id":<Removed>,"start_time":"<Removed>","type":1},"time":"<Removed>","type":100}

@NDevTK
Copy link
Contributor Author

NDevTK commented Apr 27, 2021

Hopefully its better explained now.

@terjanq
Copy link
Member

terjanq commented May 1, 2021

Thanks for diving into the issue. It seems that this is not an intentional bypass and we'd want to fix that, awesome work once again :)

I will merge since fixing this will probably take some time.

@terjanq terjanq merged commit e91ecb7 into xsleaks:master May 1, 2021
@NDevTK NDevTK deleted the patch-2 branch May 1, 2021 22:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants