[whatwg] Offline Cache iframe inheritance

Wed, 29 Oct 2008 08:31:40 -0700

The spec says when an iframe (a child browsing context) doesn't refer a manifest in the <html> tag it has to inherit cache from its parent's document.
1. This should be restricted to the same origin because when an offline application loads in an iframe a site (an advertisement or what ever site) that site has full access to window.applicationCache object and can inject to the cache any kind of resource from any origin without user notification. This resource is then carried among cache versions until explicitly overwritten or deleted from the cache. 


2. When a completely different site from a different origin, in this 
case not malicious, is loaded in an iframe from inside of an offline 
application, the site would probably be completely broken - the 
resources on the page could not be load because of the associated cache 
of probably unrelated offline application.



3. Master documents are associated with the cache after the cache update 
finished. I percept this step as a way to make the offline application 
document be in a consistent state after cache update finished w/o need 
to refresh the top document, right? But, iframes that should inherit 
cache from its parents are not associated (there were no cache at moment 
of load/cache selection algorithm and there is not visible in the spec 
to do the association later). Workaround is to add reference to the 
manifest to all iframe'd documents, but in that case there is no need to 
have a special handling for such child contexts in case they don't refer 
a manifest.




All these points lead me to opinion to remove the cache inheritance for 
child contexts feature. The manifest reference will not involve any new 
updates because they are atomically cumulated and let different sites 
"fall off" the offline app context. Also we don't have any cross-site 
security risks, even just potential.



Potentially, to preserve inheritance and save some work to web 
developers, we may introduce explicit attribute to iframe by defining 
the manifest to use or just say to let the context inherit the cache 
from the parent.


-hb-






















					Reply via email to