Opened 11 years ago
Last modified 3 months ago
#21938 accepted enhancement
Add "no-store" to Cache-Control header to prevent history caching of admin resources
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 6.3 | Priority: | normal |
Severity: | minor | Version: | 3.4 |
Component: | Administration | Keywords: | needs-patch |
Focuses: | privacy | Cc: |
Description
The current implementation of wp_get_nocache_headers does not take into account history caching, which results in a browser serving a cached copy of pages from history (by pressing the Back button) even if the user has long logged out.
RFC 2616 14.9.2 no-store describes this cache directive.
To repoduce: login to dashboard, logout, press the back button.
Expected: the login screen.
Reality: a copy of the previous page.
By adding the "no-store" directive to all non-cachable resources the behavior was mitigated successfully in Chrome 21, Firefox 15. Fails on Opera 12 (they chose to disregard "no-store" when applied to history, RFC allows this).
Attachments (1)
Change History (14)
#3
follow-up:
↓ 4
@
11 years ago
- Cc info@… added
That needs good tests. For example the behavior after POST requests can be quite annoying. Performance might be an issue too.
#4
in reply to:
↑ 3
@
11 years ago
Replying to toscho:
That needs good tests. For example the behavior after POST requests can be quite annoying. Performance might be an issue too.
Agreed, under certain circumstances this could be a nuisance, especially if users are logged in and the admin bar is shown. As for performance, it seems that all of twitter is served with "no-store" and it does appear (to me) to be quite jagged navigation-wise.
Without a proper step-by-step testing plan in mind, I guess I'll use the patch in production for a bit to see if it causes any unexpected issues in general.
#5
@
11 years ago
The other issue is sometimes you want the back button to be where you were last, without a complete reload. How many times have you lost a comment or some other content by clicking away (in WP or not) and scrambled to recover it?
#8
@
9 years ago
It seems that Firefox actually needs the no-store as well, in order to not cache a page. Otherwise, it serves it from the BFCache. The no-store should be added to the wp_get_nocache_headers function in the Cache-Control header. This is what the MDN documentation in Using Firefox Caching mentions, too.
#9
@
7 years ago
- Keywords needs-patch added; has-patch removed
- Severity changed from trivial to minor
#10
@
5 years ago
Is this something that will be implemented or not? Since there exists a nocache_headers
filter, if user wants to modify the Cache-Control
all he/she has to do is unset it and then add no-store
in it with the filter.
IMO this ticket can be closed.
"no-store" please