Major web browser vendors plan on restricting the use of the Application Cache (AppCache) feature to secure connections in an effort to protect users against potential attacks.
Mozilla on Monday was the first to make an official announcement, but the developers of Chrome, Edge and WebKit (the layout engine used by Apple’s Safari) said they plan on doing the same.
AppCache is an HTML5 application caching mechanism that allows website developers to specify which resources should be available offline. This improves speed, reduces server load, and enables users to browse a site even when they are offline.
While application caching has some benefits, it can also introduce serious security risks, which is partly why it has been deprecated and its use is no longer recommended.
The problem is that AppCache does not properly revalidate its cache, making it possible for man-in-the-middle (MitM) attackers to load malicious content. Mozilla has described the following attack scenario:
“A user logs onto a coffee shop WiFi where an attacker can manipulate the WiFi that is served over HTTP. Even if the user only visits one HTTP page over the WiFi, the attacker can plant many insecure iframes using AppCache which allows the attacker to rig the cache with malicious content manipulating all of those sites indefinitely. Even a cautious user who decides only to login to their websites at home is at risk due to this stale cache.”
Mozilla has already banned access to AppCache from HTTP pages in Firefox 60 Nightly and Beta, and will do the same in the main branch starting with Firefox 62, scheduled for release in early May.
Mozilla says it will continue to remove features for websites using HTTP and advised developers to implement TLS encryption in order to preserve current functionality.
“Going forward, Firefox will deprecate more APIs over insecure connections in an attempt to increase adoption of HTTPS and improve the safety of the internet as a whole,” explained Mozilla’s Jonathan Kingston.
Google Chrome developers initiated a discussion on removing AppCache on insecure origins back in 2016, but failed to find a solution. Following Mozilla’s lead, the Chrome team has picked up discussions on this topic on February 2.