Make WordPress Core

Changeset 55968


Ignore:
Timestamp:
06/21/2023 06:25:40 PM (18 months ago)
Author:
johnbillion
Message:

Administration: Add the no-store and private directives to the Cache-Control header when preventing caching for logged in users.

The intention behind this change is to prevent sensitive data in responses for logged in users being cached and available to others, for example via the browser history after the user logs out.

The no-store directive instructs caches in the browser or within proxies not to store the response in the cache. This is subtly different from the no-cache directive which means the response can be cached but must be revalidated before re-use. WordPress does not use ETag headers by default therefore this does not achieve the same result.

The private directive complements the no-store directive by specifying that the response contains private information that should not be stored in a public cache. Som
e proxy caches may ignore the no-store directive but respect the private directive, thus it is included.

The existing Cache-Control header for users who are not logged in remains unchanged, and the existing cache prevention directives remain in place for backwards compatib
ility.

Props soulseekah, luehrsen, Dharm1025, markdoliner, rutviksavsani, ayeshrajans, paulkevan, clorith, andy786, johnbillion

Fixes #21938, Fixes #57627

Location:
trunk
Files:
1 added
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/functions.php

    r55872 r55968  
    14781478
    14791479/**
    1480  * Gets the header information to prevent caching.
     1480 * Gets the HTTP header information to prevent caching.
    14811481 *
    14821482 * The several different headers cover the different ways cache prevention
    1483  * is handled by different browsers
     1483 * is handled by different browsers.
    14841484 *
    14851485 * @since 2.8.0
     1486 * @since 6.3.0 The `Cache-Control` header for logged in users now includes the
     1487 *              `no-store` and `private` directives.
    14861488 *
    14871489 * @return array The associative array of header names and field values.
    14881490 */
    14891491function wp_get_nocache_headers() {
     1492    $cache_control = ( function_exists( 'is_user_logged_in' ) && is_user_logged_in() )
     1493        ? 'no-cache, must-revalidate, max-age=0, no-store, private'
     1494        : 'no-cache, must-revalidate, max-age=0';
     1495
    14901496    $headers = array(
    14911497        'Expires'       => 'Wed, 11 Jan 1984 05:00:00 GMT',
    1492         'Cache-Control' => 'no-cache, must-revalidate, max-age=0',
     1498        'Cache-Control' => $cache_control,
    14931499    );
    14941500
    14951501    if ( function_exists( 'apply_filters' ) ) {
    14961502        /**
    1497          * Filters the cache-controlling headers.
     1503         * Filters the cache-controlling HTTP headers that are used to prevent caching.
    14981504         *
    14991505         * @since 2.8.0
     
    15101516
    15111517/**
    1512  * Sets the headers to prevent caching for the different browsers.
     1518 * Sets the HTTP headers to prevent caching for the different browsers.
    15131519 *
    15141520 * Different browsers support different nocache headers, so several
     
    15371543
    15381544/**
    1539  * Sets the headers for caching for 10 days with JavaScript content type.
     1545 * Sets the HTTP headers for caching for 10 days with JavaScript content type.
    15401546 *
    15411547 * @since 2.1.0
Note: See TracChangeset for help on using the changeset viewer.