SYSTEM Cited by 1 source

SDCH (Shared Dictionary Compression for HTTP)

SDCH — Shared Dictionary Compression for HTTP — was Google's 2008-2017 attempt at HTTP-level shared-dictionary compression. Shipped in Chrome in 2008, delivered "double-digit improvements in page load times" for early adopters, then was un-shipped in 2017 after accumulating a triad of problems its design couldn't absorb: compression side-channel attacks (CRIME 2012, BREACH 2013), same-origin-policy violations / CORS irreconcilability, and Cache-API specification gaps.

Today's reference for the idea is the IETF standard RFC 9842 with first CDN-tier deployment in Cloudflare Shared Dictionaries (2026-04-30 beta) — explicitly built to close the gaps SDCH couldn't.

Why it failed

Compression side-channel attacks

Attackers injected attacker-controlled content into a response alongside a secret (session cookie, CSRF token), watched the compressed-output size shrink byte-by-byte as guesses matched the secret, and extracted the secret one byte at a time. CRIME (2012) targeted TLS-compressed responses; BREACH (2013) targeted HTTP-compressed responses. SDCH's model made this exploitable because dictionaries could be served from any origin and therefore stitched across sensitive + attacker-influenced content paths.

Same-Origin-Policy violations

SDCH's cross-origin dictionary model powered its performance — a single dictionary could be served from a CDN and reused across multiple domains. But this violated the browser's Same-Origin Policy, and couldn't be reconciled with CORS. The dictionary-lifecycle made attempts to retrofit CORS untenable.

Cache-API specification gaps

SDCH's interaction with the Cache API was ambiguous — specifying how a dictionary-encoded response should be cached and matched was under-specified, leading to inconsistent implementations.

Un-shipping (2017)

Chrome was the only browser shipping SDCH by 2017. The blink-dev intent-to-remove made the call explicit: the specification + adoption were not ready to absorb the security + interop problems. SDCH was removed from Chrome.

Why RFC 9842 doesn't repeat SDCH's fate

• Same-origin constraint: advertised dictionary usable only for same-origin responses. Closes the cross-origin attack surface + the CORS incompatibility in one stroke.
• Specification of cache interactions and encoding negotiation inside the RFC, avoiding SDCH's spec gaps.
• CDN-managed deployment path via systems/cloudflare-shared-dictionaries' three-phase rollout — advanced customers can BYO (Phase 1), most customers delegate to the CDN (Phase 2, 3).

See also

• systems/rfc-9842-compression-dictionary-transport — the modern successor.
• systems/cloudflare-shared-dictionaries — 2026 CDN-tier deployment.
• concepts/compression-side-channel-attack — CRIME / BREACH attack class.
• concepts/same-origin-dictionary-scope — the gap-closing constraint.

Seen in

• sources/2026-04-17-cloudflare-shared-dictionaries-compression-that-keeps-up-with-the-agent — cautionary precedent; "Getting the web community to pick up the baton took a decade, but it was worth it"; the same post frames RFC 9842 as the successor that closes SDCH's design gaps.