Make WordPress Core

Opened 5 years ago

Last modified 7 weeks ago

#16612 new enhancement

WordPress should return nocache headers for requests with comment cookies

Reported by: barry Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Bootstrap/Load Keywords: has-patch needs-testing
Focuses: Cc:

Description (last modified by barry)

Most themes, when displaying the comment form, change the HTML to pre-fill username, email address, and website when comment cookies are received in the HTTP request. Since the response does not have explicit nocache headers, per RFC2616 (http://www.ietf.org/rfc/rfc2616.txt) intermediate caches can use heuristics to determine the cache TTL for the response. Since there is 0 freshness data in the response, it is not really possible to perform good heuristics, but in practice, caches will assign a default TTL to this type of response. The result is that private information input by user A when submitting a comment can be returned to user B when making a request for the same URL.

To protect ourselves against this, we should call nocache_headers() when comment cookies are sent and the comment form is being displayed. Alternatively, we can send nocache headers for all requests with comment cookies regardless of the comment form being displayed or not (probably easier and maybe safer).

http://humboldtherald.wordpress.com/2011/01/27/gremlins/ is a story likely caused by an aggressive cache and the lack of nocache headers.

Attachments (2)

comment_cookies_nocache.diff (1.2 KB) - added by westi 5 years ago.
The fix :)
16612.diff (1.3 KB) - added by thomaswm 7 weeks ago.
Refreshed patch

Download all attachments as: .zip

Change History (8)

#1 @barry
5 years ago

  • Description modified (diff)

5 years ago

The fix :)

#2 @nacin
5 years ago

Or, per a discussion, "Vary: Cookie" could be sent.

#3 @sorich87
4 years ago

  • Type changed from defect (bug) to enhancement

#4 @nacin
22 months ago

  • Component changed from General to Bootstrap/Load

#5 @chriscct7
7 weeks ago

  • Keywords has-patch needs-refresh added

7 weeks ago

Refreshed patch

#6 @thomaswm
7 weeks ago

  • Keywords needs-testing added; needs-refresh removed

Added refreshed version of the patch as 16612.diff.

Note: See TracTickets for help on using tickets.