AppCache Scope Restricted
The Application Cache (AppCache) specification has been deprecated since December 2016 and in Chrome starting in version 79. In Chrome 70, AppCache was removed from insecure contexts. We plan to remove AppCache in Chrome 82. Prior to AppCache’s removal in Chrome 82, we’re announcing a security fix that introduces the concept of a manifest scope.
Beginning in Chrome 80 in January, 2020, the scope of the AppCache manifest will be restricted to the path it is served from. Previously, a manifest served from any location within a site’s origin could override everything within that origin. For example, a manifest served from
www.example.com/foo/bar/ would previously allow overriding any URLs within
www.example.com. Now it will only allow overriding URLs beginning with
www.example.com/foo/bar/, the scope of the manifest.
Does This Affect My Website?
To see if this affects your website, go to
chrome://appcache-internals/ and compare the path of the manifest to the paths under File URL. Note that this change only affects “Intercept” and “Fallback” properties. (See the image below.)
You should also test your site using the command line feature flag. To do so:
- Launch Chrome 80 using the following command:
chrome://appcache-internals/, find your manifest and remove it.
- Open your site so a new AppCache instance is created.
chrome://appcache-internals/, verify your manifest appears as expected and parser version is set to 1.
- Go offline, then access your site so it’s served from AppCache. Verify all pages load as expected.
The replacement technology for AppCache is the Cache API, which requires a service worker. For a shorter term mitigation, add the following HTTP response header to your manifest responses:
This header is new in Chrome 80 and will be supported until Chrome 82, which is our announced AppCache removal milestone. Please be aware that AppCache, like all Chrome features, makes use of the disk cache to fetch server responses, so any long-lived disk cache entries for a manifest must be cleared in order to pick up a server
X-AppCache-Allowed header change.
Posted by jmedley Read More
Related Google News:
- BBC: Keeping up with a busy news day with an end-to-end serverless architecture May 1, 2023
- Photo Picker Everywhere April 24, 2023
- Enabling organizational communication with announcements in Google Chat April 10, 2023
- Kubernetes k8s.gcr.io redirect: what you need to know as an Anthos or GKE user March 24, 2023
- How AI can improve digital security March 24, 2023
- Announcing Google Cloud’s new Digital Sovereignty Explorer March 23, 2023
- Introducing new Space Manager capabilities in Google Chat March 13, 2023
- PaLM-E: An embodied multimodal language model March 10, 2023