Firefox version 85 will be released in January 2021, and one of its features is increased user privacy via improvements in client-side storage (cache) partitioning. This has been widely and incorrectly reported elsewhere as network partitioning, likely due to confusion around the privacy.partition.network state flag in Firefox, which allows advanced users to enable or disable cache partitioning as desired.
What is cache partitioning—and why might I want it?
In a nutshell, cache partitioning is the process of keeping separate cache pools for separate websites, based on the site requesting the resources loaded, rather than simply on the site providing the resources.
With a traditional, globally scoped browser cache, you might see behavior like this:
- user browses to
- many different resources are loaded and cached, including
- user browses to
- in a hidden div, shadywebsite loads
https://coolwebsite.com/logo.jpgwas in cache, it renders in under five milliseconds
- shadywebsite now knows that the user has recently visited
https://coolwebsite.com/—because if logo.jpg hadn’t been cached, it would have taken longer to render in-browser.
When using a partitioned cache, the copy of
https://coolwebsite.com/logo.jpg that was downloaded and cached when the user visited coolwebsite isn’t available when the user visits shadywebsite. Since there’s no copy of the file in shadywebsite’s site-specific cache pool, logo.jpg must be loaded directly—whether it’s in coolwebsite’s cache pool or not.
This is a very simplistic version of cache timing attacks that take place regularly—more sophisticated attacks may focus on elements that strongly imply a user is currently logged in to an unrelated site, rather than simply having visited it recently.
In some cases, the attacking website may even be able to forcibly evict cache records, which can allow it to see how long those records take to reappear, providing even more data about the user’s activities.
For a more detailed discussion of client-side storage partitioning, see the W3C Privacy Community Group’s work item on the topic, at https://github.com/privacycg/storage-partitioning.
What’s the downside to cache partitioning?
There are some Web resources that are legitimately used near-universally across thousands or millions of sites—for example, embedded fonts being delivered from fonts.google.com. With a globally scoped cache,
site1.com might embed a copy of the Roboto font from fonts.google.com, and when
site999.com embed the same font, it can be delivered from the browser cache.
Under a partitioned cache,
site1.com‘s copy of Roboto is accessible only to
site1.com itself—when the user goes to
site938.com, which also embeds Roboto from the same source, it must be downloaded (and cached) separately.
Which resources will be partitioned in Firefox 85?
As reported by ZDNet, the following resources will now be partitioned when
privacy.partition.network_state is enabled:
- HTTP cache
- Image cache
- Favicon cache
- Connection pooling
- StyleSheet cache
- HTTP authentication
- Speculative connections
- Font cache
- HTTP Strict Transport Security (HSTS)
- Online Certificate Status Protocol (OCSP)
- Intermediate CA cache
- TLS client certificates
- TLS session identifiers
- CORS-preflight cache
Although this will be the broadest userdata cache partitioning scheme in production once launched, Mozilla is playing catch-up in deploying one at all. Apple began partitioning Safari’s browser cache in 2013 and has continued to partition it further since, and Google partitioned Chrome’s HTTP cache beginning with Chrome 86, released in early October.
This will leave Microsoft’s Internet Explorer and Edge as the last mainstream browsers with globally scoped HTTP cache. Edge will presumably get cache partitioning effectively by default as it rebases on new versions of Chromium in the future.