Changeset 59724

Timestamp:

01/28/2025 11:20:48 PM (3 months ago)

Author:

johnbillion

Message:

Security: Always include the no-store and private directives in the Cache-Control header when setting headers that prevent caching.

The intention of these headers is to prevent any form of caching, whether that's in the browser or in an intermediate cache such as a proxy server. These directives instruct an intermediate cache to not store the response in their cache for any user – not just for logged-in users.

This does not affect the caching behaviour of assets within a page such as images, CSS, and JavaScript files.

Props kkmuffme, devansh2002, johnbillion.

Fixes #61942

Location:

trunk

Files:

• src/wp-includes/functions.php (modified) (1 diff)
• tests/e2e/specs/cache-control-headers-directives.test.js (modified) (2 diffs)

trunk/src/wp-includes/functions.php

@@ -1490 +1490 @@
  *
  * The several different headers cover the different ways cache prevention
- * is handled by different browsers.
+ * is handled by different browsers or intermediate caches such as proxy servers.
  *
  * @since 2.8.0
  * @since 6.3.0 The `Cache-Control` header for logged in users now includes the
  *              `no-store` and `private` directives.
+ * @since 6.8.0 The `Cache-Control` header now includes the `no-store` and `private`
+ *              directives regardless of whether a user is logged in.
  *
  * @return array The associative array of header names and field values.
  */
 function wp_get_nocache_headers() {
-    $cache_control = ( function_exists( 'is_user_logged_in' ) && is_user_logged_in() )
-        ? 'no-cache, must-revalidate, max-age=0, no-store, private'
-        : 'no-cache, must-revalidate, max-age=0';
+    $cache_control = 'no-cache, must-revalidate, max-age=0, no-store, private';
 
     $headers = array(

trunk/tests/e2e/specs/cache-control-headers-directives.test.js

@@ -28 +28 @@
         await context.close();
 
+        expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "no-cache" } ) );
         expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "no-store" } ) );
         expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "private" } ) );
@@ -41 +42 @@
         const responseHeaders = response.headers();
 
+        expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-cache' );
+        expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-store' );
+        expect( responseHeaders[ 'cache-control' ] ).toContain( 'private' );
+    } );
+
+    test(
+        'Correct directives present in cache control header when not logged in on 404 page.',
+        async ( { browser }
+        ) => {
+        const context = await browser.newContext();
+        const loggedOutPage = await context.newPage();
+
+        const response = await loggedOutPage.goto( '/this-does-not-exist/' );
+        const responseHeaders = response.headers();
+        const responseStatus = response.status();
+
+        // Dispose context once it's no longer needed.
+        await context.close();
+
+        expect( responseStatus ).toBe( 404 );
+        expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-cache' );
         expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-store' );
         expect( responseHeaders[ 'cache-control' ] ).toContain( 'private' );