Make WordPress Core

Opened 9 years ago

Last modified 6 months ago

#21938 new enhancement

Add "no-store" to Cache-Control header to prevent history caching of admin resources

Reported by: soulseekah Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 3.4
Component: Administration Keywords: needs-patch
Focuses: Cc:


The current implementation of wp_get_nocache_headers does not take into account history caching, which results in a browser serving a cached copy of pages from history (by pressing the Back button) even if the user has long logged out.

RFC 2616 14.9.2 no-store describes this cache directive.

To repoduce: login to dashboard, logout, press the back button.
Expected: the login screen.
Reality: a copy of the previous page.

By adding the "no-store" directive to all non-cachable resources the behavior was mitigated successfully in Chrome 21, Firefox 15. Fails on Opera 12 (they chose to disregard "no-store" when applied to history, RFC allows this).

Attachments (1)

21938.patch (509 bytes) - added by soulseekah 9 years ago.
"no-store" please

Download all attachments as: .zip

Change History (12)

9 years ago

"no-store" please

#1 @kovshenin
9 years ago

  • Cc kovshenin added

#2 @ocean90
9 years ago

  • Cc ocean90 added

#3 follow-up: @toscho
9 years ago

  • Cc info@… added

That needs good tests. For example the behavior after POST requests can be quite annoying. Performance might be an issue too.

Last edited 9 years ago by toscho (previous) (diff)

#4 in reply to: ↑ 3 @soulseekah
9 years ago

Replying to toscho:

That needs good tests. For example the behavior after POST requests can be quite annoying. Performance might be an issue too.

Agreed, under certain circumstances this could be a nuisance, especially if users are logged in and the admin bar is shown. As for performance, it seems that all of twitter is served with "no-store" and it does appear (to me) to be quite jagged navigation-wise.

Without a proper step-by-step testing plan in mind, I guess I'll use the patch in production for a bit to see if it causes any unexpected issues in general.

#5 @nacin
9 years ago

The other issue is sometimes you want the back button to be where you were last, without a complete reload. How many times have you lost a comment or some other content by clicking away (in WP or not) and scrambled to recover it?

#6 @SergeyBiryukov
9 years ago

  • Version changed from trunk to 3.4

#8 @nevma
7 years ago

It seems that Firefox actually needs the no-store as well, in order to not cache a page. Otherwise, it serves it from the BFCache. The no-store should be added to the wp_get_nocache_headers function in the Cache-Control header. This is what the MDN documentation in Using Firefox Caching mentions, too.

#9 @chriscct7
6 years ago

  • Keywords needs-patch added; has-patch removed
  • Severity changed from trivial to minor

#10 @dingo_bastard
4 years ago

Is this something that will be implemented or not? Since there exists a nocache_headers filter, if user wants to modify the Cache-Control all he/she has to do is unset it and then add no-store in it with the filter.

IMO this ticket can be closed.

#11 @vikram6
6 months ago

Hi. Are there any plans to fix this or should we workaround it on our side?

Note: See TracTickets for help on using tickets.