This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Created attachment 1573 [details] Paper describing the security problem AppCache allows a web application to recognize whether a caching attempt of a web browser succeeds or fails. However, a malicious web application can exploit this feature to determine whether a victim web browser has a right to access specific cross-origin resources, which is a serious privacy problem. The details of this attack were presented at Network and Distributed System Security (NDSS) Symposium at Feb. 9, 2015. http://www.internetsociety.org/doc/identifying-cross-origin-resource-status-using-application-cache As explained in the paper solving this problem is difficult, so I think that either Origin or Cache-Origin header is necessary to restrict cross-origin AppCache.
The plan of record is to remove appcache once service workers ships. It's already being deprecated.
https://github.com/whatwg/html/issues/151