Opened 13 years ago
Closed 13 years ago
#18819 closed enhancement (duplicate)
CDNs May Expose Personally Identifiable Information
Reported by: | WhiteJV | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | General | Keywords: | has-patch |
Focuses: | Cc: |
Description
When a visitor makes a comment on a post, WordPress sets a cookie with the filled in information. Then, when the visitor returns or navigates to another post, that cookie is used to fill in the comment form with the previously used values. Because this is delivered to the browser as flat HTML, content delivery networks will cache this information and expose personally identifiable information until the TTL expires.
Attachments (5)
Change History (11)
#1
@
13 years ago
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
#3
@
13 years ago
The fix proposed in #16612 will not work. There are numerous CDNs that ignore headers that come from the origin. The CDN I use is one such case. You must issue "no store" directives in the header to instruct the edge servers to not cache the results of the origin document.
#5
@
13 years ago
The patch suggested by SergeyBiryukov in #17976 appears to be mostly satisfactory. Asking for clarification in the other ticket.
#6
@
13 years ago
- Resolution set to duplicate
- Status changed from reopened to closed
That's the most obvious solution, If a CDN ignores the no-cache or vary:cookies headers however, there's not much WordPress can do.. aside from #17976 to allow the complete removal of said cookies.
Closing as a duplicate of either one of those tickets, depending on which solution is required for your server environment.
Patched wp-comments-post.php