Google is changing Chrome's caching to prevent snooping and improve security
Google plans to introduce a change to caching in the company's Chrome web browser that is designed to improve user privacy and security. All web browsers use a cache by default to load previously accessed files more quickly when resources are requested again; this speeds up the loading of sites as content is loaded from the local system and not a remote server.
Caching works by saving a resource, an image for example, along with its full URL as the key for identification purposes. Any site requesting the resource, be it directly or in an iframe, will benefit from the cached file. While that speeds up loading, it poses risks as site may use the mechanism to detect if a specific site was visited by the user in the past. Other risks include cross-site tracking and cross-site search attacks.
Google engineers developed a partition system for the cache in the Chrome web browser to mitigate these risks. The main idea is simple: instead of saving a resource with its full URL only, Chrome is adding two more bits of data to the saved information. Chrome will save the top-level site and the current-frame site next to the full URL of the cached resource. The browser uses the information to determine whether it should serve resources from the cache or not.
Chrome will load the cached resource if the request comes from the original top-level site regardless of whether it is requested directly or using an iframe. Caching rules ignore ports and subdomains.
When an unrelated site requests the file, Chrome will load it from the server and not the cache.
Google's data indicates that the new caching functionality increases the miss rate by about 3.6% and will increase the "fraction of bytes loaded from the network" by about 4%.
Apple is already using cache isolation in the Safari browser. Mozilla has plans to introduce the functionality in Firefox as well.
The introduction of cache partitioning improves privacy and security when caching files. Google plans to introduce the change in Chrome 86 gradually. The new version of the browser was released on October 6, 2020.
Now You: what is your take on the feature? Have you disabled the cache?
> what is your take on the feature? Have you disabled the cache?
I like this change of course, good to see that Google is quick to implement this. The way I handle cache: Cookie AutoDelete deletes it upon closing the related tab or upon domain change. I have also set my browser to delete cache upon shutdown.
And what browser might that be? Do tell!
(Sorry, couldn’t resist :P )
Can’t mention it, for I will be accused of shilling it, even in statements that can be applied just as much to any other browser.
Learned from experience, rather.
Also shhh, don’t spoil it for everybody. :D
> Have you disabled the cache?
Disabling cache on Chromium-based web browsers is really dumb, I would love to do it because it’s useless with current high speed connections. On the other hand, in firefox you can easly do it in about:config
I presume this concerns memory cache as well as disk cache… or does it?
Personally I disable disk cache and if the advantages of keeping only memory cache are obvious in terms of speed and privacy in that it vanishes once the browser exited, I still don’t know exactly the incidence on privacy during the session : does the concern addressed by Chrome’s caching modification include memory cache?
How do you disable caching on the newest Chrome-browser?
@jonik, I don’t use the Chrome Browser; I should have pointed this out on the comment you are referring to. This explains why I was wondering if Chromeâ€™s caching modification includes the memory cache.
CDN operators opposed this change: https://github.com/whatwg/fetch/issues/904#issuecomment-524858346
It should be added that this feature has been available in Firefox for years if you enable First-Party Isolation (as mentioned, e.g., in https://www.ghacks.net/2017/11/22/how-to-enable-first-party-isolation-in-firefox/ ) or, alternatively, by using containers in Firefox, e.g., via the add-on Temporary Containers.
It was not! It required additional switch in `about:config`.
Snooping by whom, Google?
Seems like the equivalent of FF’s first party isolation which is nice for privacy but breaks some sites. Similar to blocking third party cookies, good idea but a crap shoot in practice.
When Chrome is capable of deleting browsing data on close vs. next open, Google will actually be doing something for users. Currently they depend on lack of user knowledge for their smoke and mirrors show.
They can do all the preemptive damage control they want and it will help them naught when DOJ hits them.
It’s not like Firefox first party isolation. It’s not about privacy, but it is about security. It’s still not enabled in Firefox – https://bugzilla.mozilla.org/show_bug.cgi?id=1536058