AppCache Scope Restricted – Technology News

The Application Cache (AppCache) specification has been deprecated since December 2016 and in Chrome starting in version 79. In Chrome 70, AppCache was removed from insecure contexts. We plan to remove AppCache in Chrome 82. Prior to AppCache’s removal in Chrome 82, we’re announcing a security fix that introduces the concept of a manifest scope.

Beginning in Chrome 80 in January, 2020, the scope of the AppCache manifest will be restricted to the path it is served from. Previously, a manifest served from any location within a site’s origin could override everything within that origin. For example, a manifest served from www.example.com/foo/bar/ would previously allow overriding any URLs within www.example.com. Now it will only allow overriding URLs beginning with www.example.com/foo/bar/, the scope of the manifest.

Does This Affect My Website?
To see if this affects your website, go to chrome://appcache-internals/ and compare the path of the manifest to the paths under File URL. Note that this change only affects “Intercept” and “Fallback” properties. (See the image below.)

You should also test your site using the command line feature flag. To do so:

Launch Chrome 80 using the following command:
google-chrome --enable-features="AppCacheManifestScopeChecks"
Open chrome://appcache-internals/, find your manifest and remove it.
Open your site so a new AppCache instance is created.
Open chrome://appcache-internals/, verify your manifest appears as expected and parser version is set to 1.
Go offline, then access your site so it’s served from AppCache. Verify all pages load as expected.

Mitigations
The replacement technology for AppCache is the Cache API, which requires a service worker. For a shorter term mitigation, add the following HTTP response header to your manifest responses:

X-AppCache-Allowed: /

This header is new in Chrome 80 and will be supported until Chrome 82, which is our announced AppCache removal milestone. Please be aware that AppCache, like all Chrome features, makes use of the disk cache to fetch server responses, so any long-lived disk cache entries for a manifest must be cleared in order to pick up a server X-AppCache-Allowed header change.
Posted by jmedley Read More

Related Google News:

BBC: Keeping up with a busy news day with an end-to-end serverless architecture May 1, 2023
Photo Picker Everywhere April 24, 2023
Enabling organizational communication with announcements in Google Chat April 10, 2023
Kubernetes k8s.gcr.io redirect: what you need to know as an Anthos or GKE user March 24, 2023
How AI can improve digital security March 24, 2023
Announcing Google Cloud’s new Digital Sovereignty Explorer March 23, 2023
Introducing new Space Manager capabilities in Google Chat March 13, 2023
PaLM-E: An embodied multimodal language model March 10, 2023

January 21, 2020

Google / Open Source