Splits the HTTP cache using the top frame site and subframe site (where site = scheme://etld+1) to prevent documents from one site from knowing whether a resource from another site was cached. The HTTP cache is currently one per profile, with a single namespace for all resources and subresources regardless of origin or renderer process. Splitting the cache on top frame site helps the browser deflect side-channel attacks where one site can detect resources in another site’s cache.
Cache attacks can lead to the following leaks: - Detect if a user has visited a specific site: If the cached resource is specific to a particular site or to a particular cohort of sites, an adversary can detect user’s browsing history by checking if the cache has that resource. - Cross-site search attack: There exist cross site search attack proofs-of-concept which exploit the fact that some popular sites load a specific image when a search result is empty. By opening a tab and performing a search and then checking for that image in the cache, an adversary can detect if an arbitrary string is in the user’s search results.
Docs: https://docs.google.com/document/d/1U5zqfaJCFj_URrAmSxJ0C7z0AilLLJ30lgAqShVWnck/edit?usp=sharing https://docs.google.com/document/d/1XJMm89oyd4lJ-LDQuy0CudzBn1TaK0pE-acnfJ-A4vk/edit?usp=sharing
Explainers: https://github.com/whatwg/fetch/issues/904