Make WordPress Core

Opened 7 weeks ago

Last modified 6 weeks ago

#61942 new defect (bug)

Add "no-store" to Cache-Control header to prevent unexpected cache behavior

Reported by: kkmuffme's profile kkmuffme Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

https://core.trac.wordpress.org/ticket/21938

Added no-store, private to Cache-Control in WP 6.1 for logged in users.
However, since this ticket was more than a decade old and created in an age before widespread reverse-proxying (CDNs), this is a problem: since those can and will store responses that have no-cache (but not no-store): https://developers.cloudflare.com/cache/concepts/cache-control/
Either by default or depending on the configuration.

Practically, not all actions are for logged in users - e.g. you have a cart/checkout/thankyou page, which will end up in a proxy-cache bc of this bug and could end up being served from cache incorrectly.

The no-store, private should be added for non-logged in users too/the user logged in condition removed

Change History (2)

This ticket was mentioned in PR #7257 on WordPress/wordpress-develop by @devansh2002.


7 weeks ago
#1

  • Keywords has-patch added

Remove logged-in check for no-store, private Cache-Control
Trac ticket: https://core.trac.wordpress.org/ticket/61942

#2 @ayeshrajans
6 weeks ago

  • Keywords has-patch removed

I agree with what the ticket proposes, but we are already doing this for logged in users.

PR 7257 seems wrong, it removes the is-logged-in check for some reason, but it's not what we should be doing because the existing code seems correct to me.

Note: See TracTickets for help on using tickets.