Re: Intent to Implement- Double-keyed HTTP cache

2019-11-13 Thread Anne van Kesteren
On Wed, Aug 21, 2019 at 7:40 PM Sebastian Streich wrote: > Estimated or target release: Firefox 70 The plan is to enable this on Firefox 72 Nightly to see if there's any fallout that needs addressing. It will not ride the trains. This is tracked by

Re: Intent to Implement- Double-keyed HTTP cache

2019-08-22 Thread dom
tml/pull/4115 > > What is the tuple we're keying on? > > Cheers, > Martin > > On Thu, Aug 22, 2019 at 3:40 AM Sebastian Streich > wrote: > > > Intent to Implement- Double-keyed HTTP cache > > > > > > Summary: > > > > Currently Browsers are vu

Re: Intent to Implement- Double-keyed HTTP cache

2019-08-22 Thread Anne van Kesteren
On Thu, Aug 22, 2019 at 4:26 AM Martin Thomson wrote: > What is the tuple we're keying on? Top-level origin only. This still allows C to attack B in your scenario (or vice versa). There's a variety of other side channel attacks on " sites" too, including various members of the Window object,

Re: Intent to Implement- Double-keyed HTTP cache

2019-08-21 Thread Martin Thomson
cation. I couldn't find a PR on fetch either. What is the tuple we're keying on? Cheers, Martin On Thu, Aug 22, 2019 at 3:40 AM Sebastian Streich wrote: > Intent to Implement- Double-keyed HTTP cache > > > Summary: > > Currently Browsers are vulnerable to cache-timing attacks,

Intent to Implement- Double-keyed HTTP cache

2019-08-21 Thread Sebastian Streich
Intent to Implement- Double-keyed HTTP cache Summary: Currently Browsers are vulnerable to cache-timing attacks, commonly referred to as XS Leaks attacks. Starting with Firefox 70 we want to explore a double-keyed HTTP cache. Instead of solely using the origin of the resource, we will double