Bug 182442 - Restrict AppCache to Secure Contexts
Summary: Restrict AppCache to Secure Contexts
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Keywords: InRadar
Depends on:
Reported: 2018-02-02 11:29 PST by John Wilander
Modified: 2022-10-27 08:52 PDT (History)
7 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description John Wilander 2018-02-02 11:29:01 PST
From Mozilla Dev Platform discussion (https://groups.google.com/forum/#!topic/mozilla.dev.platform/qLTTpdzcDkw):

AppCache is a powerful feature on the web that permits a web page to be viewed offline. This increases the risk that a user is unaware of the source of the web page content when browsing over HTTP.

Besides fundamental issues with AppCache, which are summarized in this article [http://alistapart.com/article/application-cache-is-a-douchebag], AppCache increases the risk of a MitM attack to a user. The users cache persists with a device once they change to a different network. 

Example attack: Assume a user visits a website over an insecure WiFi network and the connection to the site was MitM’ed. The MitM injected it’s own content into the website and the browser then caches that content. The user decides not to enter their sensitive data whilst on an insecure network. The user then takes their device home and tries to visit the site over the internet provided by their ISP. The user now assumes they can enter sensitive information with less risk.  But since the page content was cached over the insecure WiFi network, it will still be the malicious content from the attacker. The sensitive data entered is then sent to the attacker instead of the website. In addition, the cached content can also redirect the user to a secure web page owned by the attacker. 

Mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1354175
Blink dev discussion: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/ANnafFBhReY
WhatWG issue: https://github.com/whatwg/html/issues/3440
Comment 1 Radar WebKit Bug Importer 2018-02-02 11:30:13 PST
Comment 2 Anne van Kesteren 2022-10-27 08:52:08 PDT
We've disabled this feature in https://github.com/WebKit/WebKit/commit/84496ac822fadfc774ddf6e1c9b09856bf0f1d07 and will eventually remove it in bug 219391.