January 21st, 2020
The Application Cache (AppCache) specification has been deprecated since December 2016 and in Chrome starting in version 79. In Chrome 70, AppCache was removed from insecure contexts. We plan to remove AppCache in Chrome 82. Prior to AppCache’s removal in Chrome 82, we’re announcing a security fix that introduces the concept of a manifest scope.
Beginning in Chrome 80 in January 2020, the scope of the AppCache manifest will be restricted to the path it is served from. Previously, a manifest served from any location within a site’s origin could override everything within that origin. For example, a manifest served from
www.example.com/foo/bar/ would previously allow overriding any URLs within
www.example.com. Now it will only allow overriding URLs beginning with
www.example.com/foo/bar/, the scope of the manifest.
Does This Affect My Website?
To see if this affects your website, go to
chrome://appcache-internals/ and compare the path of the manifest to the paths under File URL. Note that this change only affects “Intercept” and “Fallback” properties. (See the image below.)
You should also test your site using the command line feature flag. To do so:
- Launch Chrome 80 using the following command:
chrome://appcache-internals/, find your manifest and remove it.
- Open your site so a new AppCache instance is created.
chrome://appcache-internals/, verify your manifest appears as expected and parser version is set to 1.
- Go offline, then access your site so it’s served from AppCache. Verify all pages load as expected.
The replacement technology for AppCache is the Cache API, which requires a service worker. For a shorter term mitigation, add the following HTTP response header to your manifest responses:
This header is new in Chrome 80 and will be supported until Chrome 82, which is our announced AppCache removal milestone. Please be aware that AppCache, like all Chrome features, makes use of the disk cache to fetch server responses, so any long-lived disk cache entries for a manifest must be cleared in order to pick up a server
X-AppCache-Allowed header change.