In order to defend against cache probing attacks, browser developers are actively working on implementing a partitioned HTTP cache functionality that would in essence ensure each website has a distinct cache. Since cache probing relies on the fact that a browser’s HTTP cache is shared across every website, a partitioned HTTP cache can defend against many cache probing techniques. This is done by using tuples (either (top-frame-site, resource-url) like firefox 1 or (top-frame-site, framing-site, resource-url)) like chromium/chrome 2 as the cache keys to ensure the cache is partitioned by the requesting site. This makes it more challenging for attackers to interact with the cached contents of different sites 345. Safari currently ships a partitioned cache 6.
SameSite cookies are one of the most impactful modern security mechanisms for fixing security issues that involve cross-site requests. This mechanism allows applications to force browsers to only include cookies in requests that are issued same-site 1. This type of cookie has three modes: None, Lax, and Strict.
The fundamental idea behind designing protections for subresources is that subresources cannot be targeted by XS-Leaks if the attacker cannot make them return any user data. If implemented correctly, this approach can be a very strong defense, though it is likely to be tough to implement and could negatively impact the user experience.
tip
It can be very effective to deploy this approach on any specific resources that are known to be especially sensitive to XS-Leaks. But, due to the challenges of deploying this protection universally, applications are encouraged to deploy opt-in web platform security features as the default approach.
A strong protection for subresources can be achieved by including a user-specific token in every request. This protects against most XS-Leak techniques if implemented correctly. The idea is that in order to verify a request for a resource as being legitimate, a token must be included. This token must be provided to the client in a way that prevents an attacker from including it in their own requests.
Document-Policy is an experimental mechanism, similar to another experimental Feature Policy 1, used to cover features which are more about configuring a document, or removing features (sandboxing) from a document or a frame. 2 It can be for example set in a header response as shown in the example below.
The ForceLoadAtTop feature provides an opt-out for Scroll To Text (and other load-on-scroll behaviors) for privacy sensitive sites. The feature allows sites to indicate that they should always be loaded at the top of the page, blocking any scroll-on-load behaviors including text fragments and element fragments. It can be set via Document-Policy: force-load-at-top response header.