[html5] r4557 - [giow] (2) Plug a security hole with appcache: don't allow hostile https: server [...]

whatwg at whatwg.org whatwg at whatwg.org
Sun Jan 10 03:45:53 PST 2010 

Author: ianh
Date: 2010-01-10 03:45:49 -0800 (Sun, 10 Jan 2010)
New Revision: 4557

Modified:
   complete.html
   index
   source
Log:
[giow] (2) Plug a security hole with appcache: don't allow hostile https: servers to cache no-store files on other https: servers. Also, mention that https: apps can be made to work offline.
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=8515

Modified: complete.html
===================================================================
--- complete.html	2010-01-10 11:03:15 UTC (rev 4556)
+++ complete.html	2010-01-10 11:45:49 UTC (rev 4557)
@@ -53246,6 +53246,11 @@
   manifest is automatically cached even if it isn't explicitly
   mentioned.</p>
 
+  <p class=note>HTTP cache headers and restrictions on caching pages
+  served over TLS (encrypted, using <code title="">https:</code>) are
+  overridden by manifests. Thus, pages will not expire from an
+  application cache before the user agent has updated it, and even
+  applications served over TLS can be made to work offline.</p>
 
 
   <h5 id=appcacheevents><span class=secno>6.9.1.1 </span>Event summary</h5>
@@ -53651,6 +53656,11 @@
   </dl><p>Manifests may contain sections more than once. Sections may be
   empty.</p>
 
+  <p>If the manifest's <a href=#url-scheme title=url-scheme><scheme></a>
+  is <code title="">https:</code> or another scheme intended for
+  encrypted data transfer, then all URLs in <a href=#concept-appcache-manifest-explicit title=concept-appcache-manifest-explicit>explicit sections</a>
+  must have the <a href=#same-origin>same origin</a> as the manifest itself.</p>
+
   <p>URLs that are to be fallback pages associated with <a href=#concept-appcache-fallback-ns title=concept-appcache-fallback-ns>fallback namespaces</a>, and
   those namespaces themselves, must be given in <a href=#concept-appcache-manifest-fallback title=concept-appcache-manifest-fallback>fallback sections</a>,
   with the namespace being the first URL of the data line, and the
@@ -53846,7 +53856,10 @@
       <a href=#url-scheme title=url-scheme><scheme></a> component than
       the manifest's URL (compared in an <a href=#ascii-case-insensitive>ASCII
       case-insensitive</a> manner), then jump back to the step
-      labeled "start of line".</p>
+      labeled "start of line". If the manifest's <a href=#url-scheme title=url-scheme><scheme></a> is <code title="">https:</code> or another scheme intended for encrypted
+      data transfer, and the resulting <a href=#absolute-url>absolute URL</a> does
+      not have the <a href=#same-origin>same origin</a> as the manifest's URL,
+      then jump back to the step labeled "start of line".</p>
 
       <p>Drop the <a href=#url-fragment title=url-fragment><fragment></a>
       component of the resulting <a href=#absolute-url>absolute URL</a>, if it has

Modified: index
===================================================================
--- index	2010-01-10 11:03:15 UTC (rev 4556)
+++ index	2010-01-10 11:45:49 UTC (rev 4557)
@@ -53116,6 +53116,11 @@
   manifest is automatically cached even if it isn't explicitly
   mentioned.</p>
 
+  <p class=note>HTTP cache headers and restrictions on caching pages
+  served over TLS (encrypted, using <code title="">https:</code>) are
+  overridden by manifests. Thus, pages will not expire from an
+  application cache before the user agent has updated it, and even
+  applications served over TLS can be made to work offline.</p>
 
 
   <h5 id=appcacheevents><span class=secno>6.9.1.1 </span>Event summary</h5>
@@ -53527,6 +53532,11 @@
   </dl><p>Manifests may contain sections more than once. Sections may be
   empty.</p>
 
+  <p>If the manifest's <a href=#url-scheme title=url-scheme><scheme></a>
+  is <code title="">https:</code> or another scheme intended for
+  encrypted data transfer, then all URLs in <a href=#concept-appcache-manifest-explicit title=concept-appcache-manifest-explicit>explicit sections</a>
+  must have the <a href=#same-origin>same origin</a> as the manifest itself.</p>
+
   <p>URLs that are to be fallback pages associated with <a href=#concept-appcache-fallback-ns title=concept-appcache-fallback-ns>fallback namespaces</a>, and
   those namespaces themselves, must be given in <a href=#concept-appcache-manifest-fallback title=concept-appcache-manifest-fallback>fallback sections</a>,
   with the namespace being the first URL of the data line, and the
@@ -53722,7 +53732,10 @@
       <a href=#url-scheme title=url-scheme><scheme></a> component than
       the manifest's URL (compared in an <a href=#ascii-case-insensitive>ASCII
       case-insensitive</a> manner), then jump back to the step
-      labeled "start of line".</p>
+      labeled "start of line". If the manifest's <a href=#url-scheme title=url-scheme><scheme></a> is <code title="">https:</code> or another scheme intended for encrypted
+      data transfer, and the resulting <a href=#absolute-url>absolute URL</a> does
+      not have the <a href=#same-origin>same origin</a> as the manifest's URL,
+      then jump back to the step labeled "start of line".</p>
 
       <p>Drop the <a href=#url-fragment title=url-fragment><fragment></a>
       component of the resulting <a href=#absolute-url>absolute URL</a>, if it has

Modified: source
===================================================================
--- source	2010-01-10 11:03:15 UTC (rev 4556)
+++ source	2010-01-10 11:45:49 UTC (rev 4557)
@@ -59983,6 +59983,11 @@
   manifest is automatically cached even if it isn't explicitly
   mentioned.</p>
 
+  <p class="note">HTTP cache headers and restrictions on caching pages
+  served over TLS (encrypted, using <code title="">https:</code>) are
+  overridden by manifests. Thus, pages will not expire from an
+  application cache before the user agent has updated it, and even
+  applications served over TLS can be made to work offline.</p>
 
 
   <h5 id="appcacheevents">Event summary</h5>
@@ -60479,6 +60484,12 @@
   <p>Manifests may contain sections more than once. Sections may be
   empty.</p>
 
+  <p>If the manifest's <span title="url-scheme"><scheme></span>
+  is <code title="">https:</code> or another scheme intended for
+  encrypted data transfer, then all URLs in <span
+  title="concept-appcache-manifest-explicit">explicit sections</span>
+  must have the <span>same origin</span> as the manifest itself.</p>
+
   <p>URLs that are to be fallback pages associated with <span
   title="concept-appcache-fallback-ns">fallback namespaces</span>, and
   those namespaces themselves, must be given in <span
@@ -60709,7 +60720,12 @@
       <span title="url-scheme"><scheme></span> component than
       the manifest's URL (compared in an <span>ASCII
       case-insensitive</span> manner), then jump back to the step
-      labeled "start of line".</p>
+      labeled "start of line". If the manifest's <span
+      title="url-scheme"><scheme></span> is <code
+      title="">https:</code> or another scheme intended for encrypted
+      data transfer, and the resulting <span>absolute URL</span> does
+      not have the <span>same origin</span> as the manifest's URL,
+      then jump back to the step labeled "start of line".</p>
 
       <p>Drop the <span title="url-fragment"><fragment></span>
       component of the resulting <span>absolute URL</span>, if it has

More information about the Commit-Watchers mailing list