Google is introducing a significant change to Chrome's Back/Forward Cache (BFCache) behavior, allowing web pages to be stored in the cache, even if a webmaster specifies not to store a page in the browser's cache.
"bfcache is an in-memory cache that stores a complete snapshot of a page (including the JavaScript heap) as the user is navigating away," explains Google's web.dev site.
"With the entire page in memory, the browser can quickly and easily restore it if the user decides to return."
Site admins can specify how their web pages are stored in a browser's cache using the "Cache-control:" header. One option is to use the "Cache-control: no-store" header, which prevents the website response from being stored in the browser.
However, browsers have not been storing webpages in bfcache if they use this header, causing performance issues when users return to those pages using the back and forward browser buttons.
Google to ignore the "no-store" header for the bfcache
Google proposes that webpages should be stored in the BFCache even when the "Cache-control: no-store" header is present on HTTPS pages. This approach would increase the instances of instant back/forward navigations, resulting in a better experience.
Google engineer Fergal Daly says that the primary objective isn't to prevent the restoration of pages containing sensitive data. Instead, the focus is to avoid restoring pages with sensitive data that the user should no longer have access to.
If there are no changes to cookies, the assumption is that the browser's HTTP requests, and thus access decisions, remain consistent. The challenge lies in server-side changes resulting in loss of access.
For sites using technologies like EventSource to reflect changes to open pages, these updates will trigger eviction from BFCache or deliver events promptly upon restoration. For sites without immediate update mechanisms, there's a risk that users may access outdated data, which the proposed BFCache behaviour could potentially exacerbate.
Google is working on addressing these concerns by rolling out the feature to test channels first and getting enough data to understand the impact.
Some have raised concerns that this change could break promises to web developers who assume that the "Cache-control: no-store" header means the browser will not cache the webpage.
"To me this seems to be touching a sensitive area and I'm not certain how this will play out in the real world," commented Opera developer Daniel Bratell.
"Even if cache-control: no-store is being badly overused, and the numbers you list seem to indicate that is the case, hasn't there been a promise to web developers that such a resource will be forever gone once the page is no longer shown, and is that a promise that can reasonably be broken?"
However, Daly says that this header only promises not to store a web page in the regular browser cache, not the bfcache.
"There is no explicit promise that CCNS prevents BFCaching. The CCNS header, or in general, all the Cache-control directives, are intended to control the HTTP caching, so the explicit promise is about HTTP cache," explained Daly.
"BFCache is not part of the HTTP caching, and developers should not interpret the CCNS header as a promise that the page will not be BFCached."
By redefining how BFCache interacts with the "Cache-control: no-store" directive, Google Chrome developers hope to create a more responsive browsing experience without compromising user security and privacy.
Comments
h_b_s - 7 months ago
Minor performance gains become irrelevant when your experience is inundated with ads soaking up computer resources and granting a known vector for malicious drive-by attacks thanks to Google's increasingly antagonistic stance against ad blockers. They have become as necessary to a secure and sane user experiences as anti-virus and anti-crapware scanners was in the late 90s & naughts. If you want a safe, sane, and private web browsing experience avoid Chrome and Edge at all costs.
HWKNZX - 7 months ago
You options on mobile are quite limited:
Edge with ABP
Samsung Internet with ABP
Brave Browser
Firefox with ublock
Edge offers read-a-loud with Brave and Firefox being better at blocking most ads and sometimes YouTube ads. Combining one of these with a public DNS of adguard or pi-hole you setup a two filter system at the cost of latency.
My experience with "cache-control" is it always causes more problems as the ones that invented it never thought about how to manage it effectively and securely. Either something gets cached and stolen, that shouldn't have been or the users end up with outdated/broken web pages so most disable "cache-control" on everything but images.
ZdejPoham - 7 months ago
"However, Daly says that this header only promises not to store a web page in the regular browser cache, not the bfcache."
I promise, I will not store your sensitive private data in the database, I will write it in block letters on the wall.