Make WordPress Core

Opened 11 years ago

Last modified 3 months ago

#21938 accepted enhancement

Add "no-store" to Cache-Control header to prevent history caching of admin resources

Reported by: soulseekah's profile soulseekah Owned by: johnbillion's profile johnbillion
Milestone: 6.3 Priority: normal
Severity: minor Version: 3.4
Component: Administration Keywords: needs-patch
Focuses: privacy Cc:

Description

The current implementation of wp_get_nocache_headers does not take into account history caching, which results in a browser serving a cached copy of pages from history (by pressing the Back button) even if the user has long logged out.

RFC 2616 14.9.2 no-store describes this cache directive.

To repoduce: login to dashboard, logout, press the back button.
Expected: the login screen.
Reality: a copy of the previous page.

By adding the "no-store" directive to all non-cachable resources the behavior was mitigated successfully in Chrome 21, Firefox 15. Fails on Opera 12 (they chose to disregard "no-store" when applied to history, RFC allows this).

Attachments (1)

21938.patch (509 bytes) - added by soulseekah 11 years ago.
"no-store" please

Download all attachments as: .zip

Change History (14)

@soulseekah
11 years ago

"no-store" please

#1 @kovshenin
11 years ago

  • Cc kovshenin added

#2 @ocean90
11 years ago

  • Cc ocean90 added

#3 follow-up: @toscho
11 years ago

  • Cc info@… added

That needs good tests. For example the behavior after POST requests can be quite annoying. Performance might be an issue too.

Last edited 11 years ago by toscho (previous) (diff)

#4 in reply to: ↑ 3 @soulseekah
11 years ago

Replying to toscho:

That needs good tests. For example the behavior after POST requests can be quite annoying. Performance might be an issue too.

Agreed, under certain circumstances this could be a nuisance, especially if users are logged in and the admin bar is shown. As for performance, it seems that all of twitter is served with "no-store" and it does appear (to me) to be quite jagged navigation-wise.

Without a proper step-by-step testing plan in mind, I guess I'll use the patch in production for a bit to see if it causes any unexpected issues in general.

#5 @nacin
11 years ago

The other issue is sometimes you want the back button to be where you were last, without a complete reload. How many times have you lost a comment or some other content by clicking away (in WP or not) and scrambled to recover it?

#6 @SergeyBiryukov
11 years ago

  • Version changed from trunk to 3.4

#8 @nevma
9 years ago

It seems that Firefox actually needs the no-store as well, in order to not cache a page. Otherwise, it serves it from the BFCache. The no-store should be added to the wp_get_nocache_headers function in the Cache-Control header. This is what the MDN documentation in Using Firefox Caching mentions, too.

#9 @chriscct7
7 years ago

  • Keywords needs-patch added; has-patch removed
  • Severity changed from trivial to minor

#10 @dingo_bastard
5 years ago

Is this something that will be implemented or not? Since there exists a nocache_headers filter, if user wants to modify the Cache-Control all he/she has to do is unset it and then add no-store in it with the filter.

IMO this ticket can be closed.

#11 @vikram6
22 months ago

Hi. Are there any plans to fix this or should we workaround it on our side?

#12 @johnbillion
4 months ago

  • Focuses privacy added
  • Milestone changed from Awaiting Review to 6.3
  • Owner set to johnbillion
  • Status changed from new to accepted

Moving to 6.3 along with #57627

#13 @johnbillion
3 months ago

#57938 was marked as a duplicate.

Note: See TracTickets for help on using tickets.