Appcache allows bypassing of Access-Control-Allow-Credentials #1427
Comments
Possible solutionsRemove appcacheMany existing sites lose offline functionality, but continue to work online unless lack of appcache APIs triggers JS errors. Concede that ACAO: * cannot be blanketly usedDevelopers must only use Change appcache to cache using CORSThis could be seen as a step towards deprecation. However, this may prevent a large number of sites updating, leaving users stuck on older versions if CORS headers aren't added. Change appcache to cache without credentialsI'm not sure how many sites this would break. Credentials could be used for same-origin resources. Change appcache to cache each resource twice, with & without credentialsThen appcache could serve one of the two depending on the credential mode of the request. This should be backwards compatible, but doubles the bandwidth & storage requirements of appcache. |
|
I think the last one is the way to go. That's also how the HTTP cache is supposed to behave (though we haven't defined that in detail yet, see whatwg/fetch#307). Not sure we have to cache each resource twice, but we should add a flag as to whether it was cached with credentials or without and reply as appropriate. |
I guess we could make the fetches "same-origin" when it comes to credentials, but it's difficult to judge how much content we'll break by doing that. |
|
I think the main thing we have to do is that if we do "no-cors" + "include" from the AppCache manifest, we don't use those for XHR "cors" + "same-origin". |
|
Does that mean appcache will fail for hosted fonts (as they require CORS)? |
|
Yeah, I guess it would. I guess it would require the alternative strategy of caching everything twice... |
|
Let's fold this into #151. |
Demo: https://github.com/jakearchibald/appcache-credentials
Appcache allows you to bypass CORS checks on pages that:
Access-Control-Allow-Origin: *Without appcache, developers can add
Access-Control-Allow-Origin: *to all resources available on the public internet, even if the data is sensitive with credentials (Vary: Cookiemust be used if the resource is cachable). If the resource is fetched with credentials the CORS check will fail becauseAccess-Control-Allow-Credentialsis absent andAccess-Control-Allow-Originis not the requesting origin.Appcache caches everything with credentials and
no-cors, and it serves items from its cache regardless of credentials or mode. This allows an attacker to cache a response requested with credentials, and later retrieve it using a no-credentials fetch, which only requiresAccess-Control-Allow-Origin: *to allow JS to access the content.The text was updated successfully, but these errors were encountered: