(I'm referring to application caches/manifests; not local storage, by the way.)
Let's say I want only specific users to be able to use an application cache. When they login to my website, depending on their privileges, the site tells the browser to grab the manifest. Guests, and those without privileges, are not given access to the manifest.
To circumvent this, a malicious user could copy the application cache files from another user's browser data folder, or directly download the manifest file.
Is there anyway to prevent this from happening? Any built-in mechanisms?
To circumvent this, a malicious user could copy the application cache files from another user's browser data folder ...
Only with physical access to the machine, or if the machine has been severely compromised. But there's no protection against these types of attacks. Current browsers should sufficiently isolate application caches to specific domains. Cross-domain access is simply not allowed.
... or directly download the manifest file.
If you have access to your server-side, then you can auto-generate your manifests upon user login. This way, every manifest will be unique to the user, and no manifest will exist to be downloaded directly for anyone who does not have appropriate permissions to your site.
... Any built-in mechanisms?
There's no built-in security mechanism for applicationCache. I've considered this in my offline apps, and the only security measure that I've seen is encryption of cached files. Client-side encryption is less-than-ideal , but you could encrypt the contents of your cached files and require a key to decrypt them upon application/page launch. Last time I researched this, the JS crypto library from a few Stanford students was the best I found.