Splits the HTTP cache using the top frame site and subframe site (where site = scheme://etld+1) to prevent documents from one site from knowing whether a resource from another site was cached. The HTTP cache is currently one per profile, with a single namespace for all resources and subresources regardless of origin or renderer process. Splitting the cache on top frame site helps the browser deflect side-channel attacks where one site can detect resources in another site’s cache.

Motivation

Cache attacks can lead to the following leaks: - Detect if a user has visited a specific site: If the cached resource is specific to a particular site or to a particular cohort of sites, an adversary can detect user’s browsing history by checking if the cache has that resource. - Cross-site search attack: There exist cross site search attack proofs-of-concept which exploit the fact that some popular sites load a specific image when a search result is empty. By opening a tab and performing a search and then checking for that image in the cache, an adversary can detect if an arbitrary string is in the user’s search results.

Documentation

Status in Chromium

Blink>Network


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Positive
  • No signal
  • Positive
  • No signals

Owners

Last updated on 2021-03-22