search

uazo / bromite-buildtools

my build machine for bromite development
GNU General Public License v3.0
334 stars 10 forks source link

Issue 1413922 in chromium: Compression dictionary transport with Shared Brotli #155

Open uazo opened 1 year ago

uazo commented 1 year ago 
The existence of a dictionary is effectively a cookie for any requests that match it and should be treated as such:

- Storage partitioning for dictionary resource metadata should be at least as restrictive as for cookies.
- Dictionary entries (or at least the metadata) should be cleared any time cookies are cleared.

The existence of support for dictionary-based accept-encoding: has the potential to leak client 
state information if not applied consistently. If the browser supports dictionary-based 
compression algorithms encoding then it should always be advertised, independent of 
the current state of the feature. Specifically, this means that in any private browsing 
mode (Incognito in Chrome), dictionary-based algorithm support should still be advertised 
even if the dictionaries will not persist so that the state of the private browsing mode is not exposed.

source https://github.com/WICG/compression-dictionary-transport#fingerprinting

check the sentence:

 ...Storage is keyed only by NetworkIsolationKey.
The NetworkIsolationKey is the same for the same site pages even if they
are in different origins. So the same  ...Storage is used
for such sites (eg: map.example.com vs mail.example.com.).
This is unintentional. The ...Storage must be keyed also by
Origin.

see https://bugs.chromium.org/p/chromium/issues/detail?id=1413922#c14

Check that the NetworkIsolationKey is already different by origin.

uazo commented 1 year ago

https://chromium-review.googlesource.com/c/chromium/src/+/4535476 https://chromium-review.googlesource.com/c/chromium/src/+/4401996

uazo commented 1 year ago

new flags in 114: kCompressionDictionaryTransport (default enabled) and kCompressionDictionaryTransportBackend (default disabled).

uazo commented 1 year ago

disabled in https://github.com/uazo/bromite/commit/6c8d08d43fe04164622d444c87621250de9ff8b5

uazo commented 1 year ago

reopened because reading about it, it is interesting for technologies such as blazor (or webassemblies in general) to be better evaluated.

note this commit

uazo commented 1 year ago

This CL introduces SharedDictionaryAccessChecker class. This class is used to determine whether it is allowed to use a shared dictionary.

Introduce SharedDictionaryAccessChecker: https://chromium-review.googlesource.com/c/chromium/src/+/4635063