Partitioned HTTP Cache
October 1, 2020
In order to defend against cache probing attacks, browser developers are actively working on implementing a partitioned HTTP cache functionality that would in essence ensure each website has a distinct cache. Since cache probing relies on the fact that a browser’s HTTP cache is shared across every website, a partitioned HTTP cache can defend against many cache probing techniques. This is done by using tuples (either (top-frame-site, resource-url) like firefox 1 or (top-frame-site, framing-site, resource-url)) like chromium/chrome 2 as the cache keys to ensure the cache is partitioned by the requesting site. This makes it more challenging for attackers to interact with the cached contents of different sites 3 4 5. Safari currently ships a partitioned cache 6.
tip
For browsers that don’t use partitioned caches, there are other defenses that applications can deploy to defend against cache probing techniques. Pages can also be designed to require some level of user interaction in order to defend against cache probing attacks.
Other Relevant Projects #
WebKit Tracking Prevention Technologies #
Safari implements a partitioned HTTP cache using (top-frame-site, resource URL) as the cache key. This is part of WebKit’s larger Tracking Prevention project.
Firefox First Party Isolation #
First Party Isolation is a browser extension for Firefox which restricts access to cookies and persistent data (e.g. cache) per domain. This requires an opt-in on the part of the user.
Considerations #
Partitioned HTTP caches are a promising security feature that will eventually land in all browsers. These partitioning strategies will mitigate most of the XS-Leak techniques that leverage browser caches. In the future, partitioned caches might be extended to other browser resources, which could help mitigate other XS-Leak techniques like the Socket Exhaustion XS-Leak.