fetch icon indicating copy to clipboard operation
fetch copied to clipboard

Published 20 hours ago verified publisher icon whatwg

Cache mode: fromCache

Open annevk opened this issue 9 years ago • 10 comments

We want to introduce fromCache member on Response objects. However, this in part depends on how we tackle #38 and also #39 of course. If a Response is partially formed from a cached entry, should it say "partial"?

annevk avatar Apr 05 '15 11:04 annevk

Given that the use case for this is https://github.com/slightlyoff/ServiceWorker/issues/412#issuecomment-57635369 which is somewhat obscure, I'm not planning on addressing this for now.

annevk avatar Nov 06 '15 15:11 annevk

I don't think that the linked use case is all that valid regarding this feature. I'd say this https://github.com/whatwg/fetch/issues/39#issuecomment-140908410 is much more applicable.

Determining whether a resource comes from the cache is an important part of the bandwidth estimation that must be handled when serving adaptive bitrate video content. The fromCache attribute would enable more accurate estimation. Currently, this can only be approximated using response timing information.

kanongil avatar Nov 24 '15 13:11 kanongil

Yes, but from that issue we also know that only-if-cached is not acceptable for security reasons and this would expose exactly that. And if we limit this to same-origin it would not at all be interesting for video content.

annevk avatar Nov 24 '15 14:11 annevk

Perhaps it's best to remove the "cache state" concept from the specification for now until we find a way to address these issues.

annevk avatar Nov 24 '15 14:11 annevk

Hmm... Given that the security concerns would be largely circumvented if the server allows the client to sends If-Modified-Since, If-None-Match, etc, it might be possible to use this to enable this feature for such CORS requests?

Of course this would require a CORS pre-flight request to discover, which means that the fromCache attribute would require a special mode / flag to enable on a request.

kanongil avatar Nov 24 '15 15:11 kanongil

FWIW - I think this is a bit different than only-if-cached. The problem there is that it makes it possible to probe the cache without any corresponding traffic being emitted to the server, making it a passive attack.

Exposing fromCache doesn't do that; if someone tries to use it for probing, it will still emit traffic.

What it does do is slightly improve confidence as opposed to cache timing attacks (but they're pretty conclusive anyway, AIUI).

mnot avatar Nov 25 '15 01:11 mnot

Maybe, within server respons headers Cache-Control: stale-*, to solve this problem? RFC5861 https://tools.ietf.org/rfc/rfc5861.txt

ParkFramework avatar Nov 25 '15 02:11 ParkFramework

@mikewest what do you think with regards to @mnot analysis?

annevk avatar Nov 25 '15 08:11 annevk

As Resource Timing exposes some this information, it's reasonable to consider exposing it directly on Response objects again for convenience.

annevk avatar May 07 '21 10:05 annevk

A complementary API to this might be a more explicit opt-in for surfacing 304 responses to the caller, saving the browser from obtaining the full response from the cache. (This is already possible if the caller sets certain headers themselves, but perhaps that ought to have a more abstract entry point as well.)

annevk avatar May 16 '22 14:05 annevk