The Firefox logo is broken into 4 bits.
Enlarge / Breaking up the browser cache into separate pools prevents sophisticated timing probes that let one site know whether you’re logged in to another.

Firefox version 85 will be released in January 2021, and one of its features is increased user privacy via improvements in client-side storage (cache) partitioning. This has been widely and incorrectly reported elsewhere as network partitioning, likely due to confusion around the privacy.partition.network state flag in Firefox, which allows advanced users to enable or disable cache partitioning as desired.

What is cache partitioning—and why might I want it?

In a nutshell, cache partitioning is the process of keeping separate cache pools for separate websites, based on the site requesting the resources loaded, rather than simply on the site providing the resources.

With a traditional, globally scoped browser cache, you might see behavior like this:

  1. user browses to https://coolwebsite.com/
  2. many different resources are loaded and cached, including https://coolwebsite.com/logo.jpg
  3. user browses to https://shadywebsite.com/
  4. in a hidden div, shadywebsite loads https://coolwebsite.com/logo.jpg
  5. shadywebsite uses JavaScript elements to time how long the user’s browser needs to render logo.jpg
  6. Since https://coolwebsite.com/logo.jpg was in cache, it renders in under five milliseconds
  7. shadywebsite now knows that the user has recently visited https://coolwebsite.com/—because if logo.jpg hadn’t been cached, it would have taken longer to render in-browser.

When using a partitioned cache, the copy of https://coolwebsite.com/logo.jpg that was downloaded and cached when the user visited coolwebsite isn’t available when the user visits shadywebsite. Since there’s no copy of the file in shadywebsite’s site-specific cache pool, logo.jpg must be loaded directly—whether it’s in coolwebsite’s cache pool or not.

This is a very simplistic version of cache timing attacks that take place regularly—more sophisticated attacks may focus on elements that strongly imply a user is currently logged in to an unrelated site, rather than simply having visited it recently.

In some cases, the attacking website may even be able to forcibly evict cache records, which can allow it to see how long those records take to reappear, providing even more data about the user’s activities.

For a more detailed discussion of client-side storage partitioning, see the W3C Privacy Community Group’s work item on the topic, at https://github.com/privacycg/storage-partitioning.

What’s the downside to cache partitioning?

There are some Web resources that are legitimately used near-universally across thousands or millions of sites—for example, embedded fonts being delivered from fonts.google.com. With a globally scoped cache, site1.com might embed a copy of the Roboto font from fonts.google.com, and when site2.com through site999.com embed the same font, it can be delivered from the browser cache.

Under a partitioned cache, site1.com‘s copy of Roboto is accessible only to site1.com itself—when the user goes to site938.com, which also embeds Roboto from the same source, it must be downloaded (and cached) separately.

Which resources will be partitioned in Firefox 85?

As reported by ZDNet, the following resources will now be partitioned when privacy.partition.network_state is enabled:

  • HTTP cache
  • Image cache
  • Favicon cache
  • Connection pooling
  • StyleSheet cache
  • DNS
  • HTTP authentication
  • Alt-Svc
  • Speculative connections
  • Font cache
  • HTTP Strict Transport Security (HSTS)
  • Online Certificate Status Protocol (OCSP)
  • Intermediate CA cache
  • TLS client certificates
  • TLS session identifiers
  • Prefetch
  • Preconnect
  • CORS-preflight cache

Although this will be the broadest userdata cache partitioning scheme in production once launched, Mozilla is playing catch-up in deploying one at all. Apple began partitioning Safari’s browser cache in 2013 and has continued to partition it further since, and Google partitioned Chrome’s HTTP cache beginning with Chrome 86, released in early October.

This will leave Microsoft’s Internet Explorer and Edge as the last mainstream browsers with globally scoped HTTP cache. Edge will presumably get cache partitioning effectively by default as it rebases on new versions of Chromium in the future.