[Webkit-unassigned] [Bug 60571] New: ApplicationCache: feature request - an https manifest should be able to list resources from other https origins.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 10 12:43:47 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=60571
Summary: ApplicationCache: feature request - an https manifest
should be able to list resources from other https
origins.
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: michaeln at google.com
This is explicitly disallowed by the the spec but the rationale doesn't hold up under scrutiny.
Prohibiting cross-origin HTTPS from appcaching really doesn't defend against the attack that it tried to defend against because HTTPS resources can just as easily end up in the usual browser cache. The point of excluding them is to prevent an attacker with physical access to the system from stealing those resources. But unless there's a cache-control "no-store" header, they'll be in the browser cache anyway.
So the feature request is allow cross-origin HTTPS resources but respect the "no-store" header, if that header is present the resource won't be cached and the appcache update will fail.
This has already been done in the chromium project and has been brought up on the whatwg list and public-webapps list.
http://code.google.com/p/chromium/issues/detail?id=69594
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list