WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#37250 closed defect (bug) (fixed)

`Pragma` is a request header, not a response header

Reported by: geekysoft Owned by: pento
Milestone: 4.6 Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch commit
Focuses: Cc:
PR Number:

Description

WordPress incorrectly sends the Pragma request header in return to clients as a responses header. Request headers should never be included in responses to clients and will cause compatibility issues.

The attach patch removes the header.

Multiple HTTP testing and compliance tools report this as an issue. The header is defined in RFC 2616 section 14.32.

Attachments (1)

remove_pragma_in_responses.diff (2.4 KB) - added by geekysoft 3 years ago.

Download all attachments as: .zip

Change History (4)

#1 follow-up: @pento
3 years ago

  • Keywords has-patch commit added
  • Milestone changed from Awaiting Review to 4.6
  • Owner set to pento
  • Status changed from new to assigned
  • Version trunk deleted

Thank you for the ticket and patch, @geekysoft!

That's some classic code you've run into there - the earliest instance I could find is [1947], but it might be from earlier. There's no ticket to go with it, but I suspect the original uses were based on KB234067, IE 5 and earlier didn't recognise Cache-Control, but they did recognise Pragma as a response header.

Anyway, that was just a fun dive through history. We haven't supported such old browsers in a long time, so I have no problem with this going in.

#2 in reply to: ↑ 1 @SergeyBiryukov
3 years ago

Replying to pento:

the earliest instance I could find is [1947], but it might be from earlier.

Yup, it was already there as of [8].

#3 @ocean90
3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 37944:

General: Remove the Pragma header from responses.

Pragma is supposed to be a request header, but we've been including it in responses since the beginning of time.

This is a relic dating all the way back to b2, probably originally added because Internet Explorer version 5 and earlier didn't understand the Cache-Control header in responses, but they did (incorrectly) obey the Pragma header.

Internet Explorer 6 and 7 will obey the Pragma response header only if no other cache-related response headers are present (in our case, they are always present), and all other browsers ignore the Pragma response header.

Props geekysoft.
Fixes #37250.

Note: See TracTickets for help on using tickets.