Partition the HTTP Cache

Splits the HTTP cache using top frame origin (and possibly subframe origin) to prevent documents from one origin from knowing whether a resource from a cross-origin was cached. The HTTP cache is currently one per profile, with a single namespace for all resources and subresources regardless of origin or renderer process. Splitting the cache on top frame origins helps the browser deflect side-channel attacks where one site can detect resources in another site’s cache.

Cache attacks can lead to the following leaks: - Detect if a user has visited a specific site: If the cached resource is specific to a particular site or to a particular cohort of sites, an adversary can detect user’s browsing history by checking if the cache has that resource. - Cross-site search attack: There exist cross site search attack proofs-of-concept which exploit the fact that some popular sites load a specific image when a search result is empty. By opening a tab and performing a search and then checking for that image in the cache, an adversary can detect if an arbitrary string is in the user’s search results.

Documentation

Status in Chromium

Blink>Network


Behind a flag (tracking bug) in:

  • Chrome for desktop release 77
  • Chrome for Android release 77
  • Android WebView release 77

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Public support
  • No public signals
  • Public support
  • No signals

Owners

Last updated on 2019-08-09