Bug 182442

Summary: Restrict AppCache to Secure Contexts
Product: WebKit Reporter: John Wilander <wilander>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: achristensen, bfulgham, dbates, webkit-bug-importer, wilander, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description John Wilander 2018-02-02 11:29:01 PST
From Mozilla Dev Platform discussion (https://groups.google.com/forum/#!topic/mozilla.dev.platform/qLTTpdzcDkw):

AppCache is a powerful feature on the web that permits a web page to be viewed offline. This increases the risk that a user is unaware of the source of the web page content when browsing over HTTP.

Besides fundamental issues with AppCache, which are summarized in this article [http://alistapart.com/article/application-cache-is-a-douchebag], AppCache increases the risk of a MitM attack to a user. The users cache persists with a device once they change to a different network. 

Example attack: Assume a user visits a website over an insecure WiFi network and the connection to the site was MitM’ed. The MitM injected it’s own content into the website and the browser then caches that content. The user decides not to enter their sensitive data whilst on an insecure network. The user then takes their device home and tries to visit the site over the internet provided by their ISP. The user now assumes they can enter sensitive information with less risk.  But since the page content was cached over the insecure WiFi network, it will still be the malicious content from the attacker. The sensitive data entered is then sent to the attacker instead of the website. In addition, the cached content can also redirect the user to a secure web page owned by the attacker. 

Mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1354175
Blink dev discussion: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/ANnafFBhReY
WhatWG issue: https://github.com/whatwg/html/issues/3440
Comment 1 Radar WebKit Bug Importer 2018-02-02 11:30:13 PST