Prevent appcache in iframes |
||||||||
Issue descriptionhttps://output.jsbin.com/medoke/quiet - here I create a series of iframe with random urls pointing to https://gabrielecirulli.github.io/2048/ This floods the master entry part of appcache, making updates to 2048 much larger, forever. This attack doesn't work in Safari, I'm guessing the prevent appcache in iframes (maybe cross-origin only). We should do the same.
,
Apr 13 2016
Firefox's behavior matches chrome's, it caches the master entries too.
,
Apr 13 2016
,
Apr 13 2016
I reckon Safari is (wilfully) breaking spec here, but it does prevent the attack.
,
Apr 14 2017
This issue has been available for more than 365 days, and should be re-evaluated. Please re-triage this issue. The Hotlist-Recharge-Cold label is applied for tracking purposes, and should not be removed after re-triaging the issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 17 2017
I think google drive and google docs rely on being able to establish appcaches xorigin to pull down new docs. The safest change i can think of is to put a reasonable limit on the number of master entries, when n+1 comes around, silently refuse to add it. We could add uma stats to get an idea of how many master entries there typically are as the basis for the reasonable limit?
,
Apr 18 2018
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 30 2018
,
Sep 20
UMA metric to see if we can remove this?
,
Jan 12
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by michaeln@chromium.org
, Apr 12 2016