Thanks!  The Cache API will be a good case to add enforcements for, as we make progress on the full Site Isolation goals.  (There are several enforcements that aren't implemented yet, and they're being tracked in issue 786673.)

creis: Same question here - this seems potentially like a new security feature rather than bug? Should we change the Type to remove it from the sheriff queue?

Security feature.

If this is feature request rather than a bug, why are we hiding it? Can we open this up to public?

Mac triage: assigning to creis@ for further triage.

Ah, sorry, missed comment 4 amid all the activity in January.  Agreed this can be opened up, since Site Isolation isn't currently enforcing restrictions on fully compromised renderers yet.

falken@, any chance you know who works on the Cache API and may be able to help us find places to enforce this outside the renderer?  Also adding jam@, since I wonder if this is affected by the network service.

+jsbell, +cmumford for cache storage API

Since Cache Storage hasn't been mojoified yet, appropriate checks on the browser side of classic IPC would be in:

https://cs.chromium.org/chromium/src/content/browser/cache_storage/cache_storage_dispatcher_host.cc

... but the mojoification is in flight:

https://chromium-review.googlesource.com/c/chromium/src/+/875510

... so probably best to wait until that lands (should be real soon!) and add it there.

This should be completely unblocked now...

Like (most) other mojo-ified back-ends the browser-side mojo channel / origin association occurs here:

https://cs.chromium.org/chromium/src/content/browser/renderer_interface_binders.cc?q=renderer_interface_binders.cc&dr&l=156

Which is used at:

https://cs.chromium.org/chromium/src/content/browser/renderer_interface_binders.cc?gsn=parameterized_binder_registry_&l=66

So if the frame->GetLastCommittedOrigin() is trustworthy then we're good. If not, that's a swell place to add enforcement. 

For every Mojo method called we use the origin from the initial binding (the one jsbell@ pointed on #10):
https://cs.chromium.org/chromium/src/content/browser/cache_storage/cache_storage_dispatcher_host.cc?l=244

This use of origin from binding-time is what guarantees the segregation of each origin's cache. 

Please add reward-topanel after this has been marked as fixed, so the VRP panel can take a look at it.

Inspecting the code again, so far as I can tell this work was complete w/ lucmult@'s changes. We no longer rely on the renderer to inform what origin it is representing.

Passing back to creis@ to verify in case I missed something. Details in #10 - like most mojoified services, in RendererInterfaceBinders::BindInterface we rely on frame->GetLastCommittedOrigin() (for frames at least, for workers it's passed in) rather than anything passed by the renderer.

I tried verifying with the #0 steps, but unfortunately those resources don't seem to all be there any more.  The poison.html 404s.

Poison.html is a cache file created with UXSS. If you don’t have UXSS in hand, it will always return 404.

Could anyone add reward-topanel per Comment 12?

Hi s.h.h.n.j.k@ - we had a discussion with the Site Isolation team about this bug, and we concluded that we would have fixed this even without the report, so we're not going to reward for it, I'm afraid.

All right! Thanks for the consideration!