On unsecured networks, attackers could stealthily
create malicious Application Caches in the browser of victims for even HTTPS
sites. It has always been possible to poison the browser cache and
compromise the victim's account for HTTP based sites.
With HTML5 Application Cache, it is possible to poison the cache of even
Is it agreed that if the above is true -- meaning, separation doesn't
actually exist -- then there's a bug?