[giow] (2) Plug a security hole with appcache: don't allow hostile ht…

…tps: servers to cache no-store files on other https: servers. Also, mention that https: apps can be made to work offline. Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=8515 git-svn-id: http://svn.whatwg.org/webapps@4557 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Jan 10, 2010 · a92f3f2 · a92f3f2
1 parent 7469ac1
commit a92f3f2
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 3 deletions.
diff --git a/complete.html b/complete.html
@@ -53246,6 +53246,11 @@ <h4 id=introduction-3><span class=secno>6.9.1 </span>Introduction</h4>
   manifest is automatically cached even if it isn't explicitly
   mentioned.</p>
 
+  <p class=note>HTTP cache headers and restrictions on caching pages
+  served over TLS (encrypted, using <code title="">https:</code>) are
+  overridden by manifests. Thus, pages will not expire from an
+  application cache before the user agent has updated it, and even
+  applications served over TLS can be made to work offline.</p>
 
 
   <h5 id=appcacheevents><span class=secno>6.9.1.1 </span>Event summary</h5>
@@ -53651,6 +53656,11 @@ <h5 id=writing-cache-manifests><span class=secno>6.9.3.2 </span>Writing cache ma
   </dl><p>Manifests may contain sections more than once. Sections may be
   empty.</p>
 
+  <p>If the manifest's <a href=#url-scheme title=url-scheme>&lt;scheme&gt;</a>
+  is <code title="">https:</code> or another scheme intended for
+  encrypted data transfer, then all URLs in <a href=#concept-appcache-manifest-explicit title=concept-appcache-manifest-explicit>explicit sections</a>
+  must have the <a href=#same-origin>same origin</a> as the manifest itself.</p>
+
   <p>URLs that are to be fallback pages associated with <a href=#concept-appcache-fallback-ns title=concept-appcache-fallback-ns>fallback namespaces</a>, and
   those namespaces themselves, must be given in <a href=#concept-appcache-manifest-fallback title=concept-appcache-manifest-fallback>fallback sections</a>,
   with the namespace being the first URL of the data line, and the
@@ -53846,7 +53856,10 @@ <h5 id=parsing-cache-manifests><span class=secno>6.9.3.3 </span>Parsing cache ma
       <a href=#url-scheme title=url-scheme>&lt;scheme&gt;</a> component than
       the manifest's URL (compared in an <a href=#ascii-case-insensitive>ASCII
       case-insensitive</a> manner), then jump back to the step
-      labeled "start of line".</p>
+      labeled "start of line". If the manifest's <a href=#url-scheme title=url-scheme>&lt;scheme&gt;</a> is <code title="">https:</code> or another scheme intended for encrypted
+      data transfer, and the resulting <a href=#absolute-url>absolute URL</a> does
+      not have the <a href=#same-origin>same origin</a> as the manifest's URL,
+      then jump back to the step labeled "start of line".</p>
 
       <p>Drop the <a href=#url-fragment title=url-fragment>&lt;fragment&gt;</a>
       component of the resulting <a href=#absolute-url>absolute URL</a>, if it has

diff --git a/index b/index
@@ -53116,6 +53116,11 @@ clock.js</pre>
   manifest is automatically cached even if it isn't explicitly
   mentioned.</p>
 
+  <p class=note>HTTP cache headers and restrictions on caching pages
+  served over TLS (encrypted, using <code title="">https:</code>) are
+  overridden by manifests. Thus, pages will not expire from an
+  application cache before the user agent has updated it, and even
+  applications served over TLS can be made to work offline.</p>
 
 
   <h5 id=appcacheevents><span class=secno>6.9.1.1 </span>Event summary</h5>
@@ -53527,6 +53532,11 @@ NETWORK:
   </dl><p>Manifests may contain sections more than once. Sections may be
   empty.</p>
 
+  <p>If the manifest's <a href=#url-scheme title=url-scheme>&lt;scheme&gt;</a>
+  is <code title="">https:</code> or another scheme intended for
+  encrypted data transfer, then all URLs in <a href=#concept-appcache-manifest-explicit title=concept-appcache-manifest-explicit>explicit sections</a>
+  must have the <a href=#same-origin>same origin</a> as the manifest itself.</p>
+
   <p>URLs that are to be fallback pages associated with <a href=#concept-appcache-fallback-ns title=concept-appcache-fallback-ns>fallback namespaces</a>, and
   those namespaces themselves, must be given in <a href=#concept-appcache-manifest-fallback title=concept-appcache-manifest-fallback>fallback sections</a>,
   with the namespace being the first URL of the data line, and the
@@ -53722,7 +53732,10 @@ NETWORK:
       <a href=#url-scheme title=url-scheme>&lt;scheme&gt;</a> component than
       the manifest's URL (compared in an <a href=#ascii-case-insensitive>ASCII
       case-insensitive</a> manner), then jump back to the step
-      labeled "start of line".</p>
+      labeled "start of line". If the manifest's <a href=#url-scheme title=url-scheme>&lt;scheme&gt;</a> is <code title="">https:</code> or another scheme intended for encrypted
+      data transfer, and the resulting <a href=#absolute-url>absolute URL</a> does
+      not have the <a href=#same-origin>same origin</a> as the manifest's URL,
+      then jump back to the step labeled "start of line".</p>
 
       <p>Drop the <a href=#url-fragment title=url-fragment>&lt;fragment&gt;</a>
       component of the resulting <a href=#absolute-url>absolute URL</a>, if it has

diff --git a/source b/source
@@ -59983,6 +59983,11 @@ interface <dfn>NavigatorAbilities</dfn> {
   manifest is automatically cached even if it isn't explicitly
   mentioned.</p>
 
+  <p class="note">HTTP cache headers and restrictions on caching pages
+  served over TLS (encrypted, using <code title="">https:</code>) are
+  overridden by manifests. Thus, pages will not expire from an
+  application cache before the user agent has updated it, and even
+  applications served over TLS can be made to work offline.</p>
 
 
   <h5 id="appcacheevents">Event summary</h5>
@@ -60479,6 +60484,12 @@ NETWORK:
   <p>Manifests may contain sections more than once. Sections may be
   empty.</p>
 
+  <p>If the manifest's <span title="url-scheme">&lt;scheme&gt;</span>
+  is <code title="">https:</code> or another scheme intended for
+  encrypted data transfer, then all URLs in <span
+  title="concept-appcache-manifest-explicit">explicit sections</span>
+  must have the <span>same origin</span> as the manifest itself.</p>
+
   <p>URLs that are to be fallback pages associated with <span
   title="concept-appcache-fallback-ns">fallback namespaces</span>, and
   those namespaces themselves, must be given in <span
@@ -60709,7 +60720,12 @@ NETWORK:
       <span title="url-scheme">&lt;scheme&gt;</span> component than
       the manifest's URL (compared in an <span>ASCII
       case-insensitive</span> manner), then jump back to the step
-      labeled "start of line".</p>
+      labeled "start of line". If the manifest's <span
+      title="url-scheme">&lt;scheme&gt;</span> is <code
+      title="">https:</code> or another scheme intended for encrypted
+      data transfer, and the resulting <span>absolute URL</span> does
+      not have the <span>same origin</span> as the manifest's URL,
+      then jump back to the step labeled "start of line".</p>
 
       <p>Drop the <span title="url-fragment">&lt;fragment&gt;</span>
       component of the resulting <span>absolute URL</span>, if it has