Bug 60571

Summary: ApplicationCache: feature request - an https manifest should be able to list resources from other https origins.
Product: WebKit Reporter: Michael Nordman <michaeln>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: ahmad.saleem792, ap, kennyluck, youennf
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 62250    
Bug Blocks:    

Michael Nordman
Reported 2011-05-10 12:43:47 PDT
This is explicitly disallowed by the the spec but the rationale doesn't hold up under scrutiny. Prohibiting cross-origin HTTPS from appcaching really doesn't defend against the attack that it tried to defend against because HTTPS resources can just as easily end up in the usual browser cache. The point of excluding them is to prevent an attacker with physical access to the system from stealing those resources. But unless there's a cache-control "no-store" header, they'll be in the browser cache anyway. So the feature request is allow cross-origin HTTPS resources but respect the "no-store" header, if that header is present the resource won't be cached and the appcache update will fail. This has already been done in the chromium project and has been brought up on the whatwg list and public-webapps list. http://code.google.com/p/chromium/issues/detail?id=69594
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2011-05-11 09:20:33 PDT
> But unless there's a cache-control "no-store" header, they'll be in the browser cache anyway. I'm surprised to hear that, and I don't think that it's accurate in general. It's definitely not the case for Safari.
Michael Nordman
Comment 2 2011-05-17 10:02:23 PDT
(In reply to comment #1) > > But unless there's a cache-control "no-store" header, they'll be in the browser cache anyway. > > I'm surprised to hear that, and I don't think that it's accurate in general. It's definitely not the case for Safari. Chrome and Firefox will cache https resources on disk. Viewing about:cache in each of those browsers easily confirms it. (Hey... Firefox's about:cache page looks really nice. I wonder if the WebInspector team would consider pages like these are part of their charter too.)
Ahmad Saleem
Comment 3 2024-01-29 12:31:56 PST
After this commit (Disable `AppCache` everywhere): https://github.com/WebKit/WebKit/commit/6f399c42909b07a4da0c6c0d6baab1b578dd610e Is this applicable?
youenn fablet
Comment 4 2024-01-29 12:39:26 PST
I plan to remove the appcache code, hopefully this week.
Note You need to log in before you can comment on or make changes to this bug.