1

(I'm referring to application caches/manifests; not local storage, by the way.)

Let's say I want only specific users to be able to use an application cache. When they login to my website, depending on their privileges, the site tells the browser to grab the manifest. Guests, and those without privileges, are not given access to the manifest.

To circumvent this, a malicious user could copy the application cache files from another user's browser data folder, or directly download the manifest file.

Is there anyway to prevent this from happening? Any built-in mechanisms?

Chris Laplante
  • 29,338
  • 17
  • 103
  • 134

1 Answers1

1

To circumvent this, a malicious user could copy the application cache files from another user's browser data folder ...

Only with physical access to the machine, or if the machine has been severely compromised. But there's no protection against these types of attacks. Current browsers should sufficiently isolate application caches to specific domains. Cross-domain access is simply not allowed.

... or directly download the manifest file.

If you have access to your server-side, then you can auto-generate your manifests upon user login. This way, every manifest will be unique to the user, and no manifest will exist to be downloaded directly for anyone who does not have appropriate permissions to your site.

... Any built-in mechanisms?

There's no built-in security mechanism for applicationCache. I've considered this in my offline apps, and the only security measure that I've seen is encryption of cached files. Client-side encryption is less-than-ideal , but you could encrypt the contents of your cached files and require a key to decrypt them upon application/page launch. Last time I researched this, the JS crypto library from a few Stanford students was the best I found.

ampersand
  • 4,264
  • 2
  • 24
  • 32
  • Another thing that I'd like to protect against is someone distributing their manifest file. I guess encryption would be the way... – Chris Laplante May 23 '11 at 21:51
  • Where would someone get the manifest file if it is auto-generated? I'm not even sure if browsers store the manifest or just the info from it. Anyway, what I meant was if you auto-generate a manifest file with a unique filename that is specific to that user, and make sure that this file exists only for the duration of the user's session - then there should be no way for outside users to get at the manifest. As for cached files: all cached files are stored in a database, not as individual files, so it is difficult to "distribute" them upon download. – ampersand May 23 '11 at 21:56
  • @simplecoder, btw here is an example of auto-generating manifests with PHP: http://stackoverflow.com/questions/3727774/using-wildcard-in-fallback-section-of-cache-manifest-file-html5. – ampersand May 23 '11 at 22:01
  • @ampersand: They have to store the manifest, or at least files marked usable for offline access, so that when you do access them offline, they are available. – Chris Laplante May 23 '11 at 22:24
  • yes, but they are not stored as individual files, but in a database, which makes it difficult to distribute the individual files. It's still not secure as such, but at least it requires work to extract and re-assemble the files. – ampersand May 23 '11 at 22:31
  • True. I have found a tool that does this automatically, however. But, it is what it is. Excellent answer; thank you. – Chris Laplante May 23 '11 at 23:07
  • A tool to extract cached files from the db? I'd be interested in such a tool. Could you share a link? – ampersand May 24 '11 at 01:16
  • Ah, I'm sorry, the name mislead me. The tool only views the regular cache: http://www.nirsoft.net/utils/chrome_cache_view.html – Chris Laplante May 24 '11 at 01:22