<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[59724] trunk: Security: Always include the `no-store` and `private` directives in the `Cache-Control` header when setting headers that prevent caching.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/59724">59724</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/59724","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>johnbillion</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2025-01-28 23:20:48 +0000 (Tue, 28 Jan 2025)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Security: Always include the `no-store` and `private` directives in the `Cache-Control` header when setting headers that prevent caching.
The intention of these headers is to prevent any form of caching, whether that's in the browser or in an intermediate cache such as a proxy server. These directives instruct an intermediate cache to not store the response in their cache for any user - not just for logged-in users.
This does not affect the caching behaviour of assets within a page such as images, CSS, and JavaScript files.
Props kkmuffme, devansh2002, johnbillion.
Fixes <a href="https://core.trac.wordpress.org/ticket/61942">#61942</a></pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludesfunctionsphp">trunk/src/wp-includes/functions.php</a></li>
<li><a href="#trunktestse2especscachecontrolheadersdirectivestestjs">trunk/tests/e2e/specs/cache-control-headers-directives.test.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludesfunctionsphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/functions.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/functions.php 2025-01-28 22:43:54 UTC (rev 59723)
+++ trunk/src/wp-includes/functions.php 2025-01-28 23:20:48 UTC (rev 59724)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1489,18 +1489,18 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * Gets the HTTP header information to prevent caching.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * The several different headers cover the different ways cache prevention
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * is handled by different browsers.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * is handled by different browsers or intermediate caches such as proxy servers.
</ins><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 2.8.0
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 6.3.0 The `Cache-Control` header for logged in users now includes the
</span><span class="cx" style="display: block; padding: 0 10px"> * `no-store` and `private` directives.
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @since 6.8.0 The `Cache-Control` header now includes the `no-store` and `private`
+ * directives regardless of whether a user is logged in.
</ins><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @return array The associative array of header names and field values.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> function wp_get_nocache_headers() {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $cache_control = ( function_exists( 'is_user_logged_in' ) && is_user_logged_in() )
- ? 'no-cache, must-revalidate, max-age=0, no-store, private'
- : 'no-cache, must-revalidate, max-age=0';
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $cache_control = 'no-cache, must-revalidate, max-age=0, no-store, private';
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $headers = array(
</span><span class="cx" style="display: block; padding: 0 10px"> 'Expires' => 'Wed, 11 Jan 1984 05:00:00 GMT',
</span></span></pre></div>
<a id="trunktestse2especscachecontrolheadersdirectivestestjs"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/e2e/specs/cache-control-headers-directives.test.js</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/e2e/specs/cache-control-headers-directives.test.js 2025-01-28 22:43:54 UTC (rev 59723)
+++ trunk/tests/e2e/specs/cache-control-headers-directives.test.js 2025-01-28 23:20:48 UTC (rev 59724)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -27,6 +27,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> // Dispose context once it's no longer needed.
</span><span class="cx" style="display: block; padding: 0 10px"> await context.close();
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "no-cache" } ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "no-store" } ) );
</span><span class="cx" style="display: block; padding: 0 10px"> expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "private" } ) );
</span><span class="cx" style="display: block; padding: 0 10px"> } );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -40,7 +41,28 @@
</span><span class="cx" style="display: block; padding: 0 10px"> const response = await page.goto( '/wp-admin' );
</span><span class="cx" style="display: block; padding: 0 10px"> const responseHeaders = response.headers();
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-cache' );
</ins><span class="cx" style="display: block; padding: 0 10px"> expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-store' );
</span><span class="cx" style="display: block; padding: 0 10px"> expect( responseHeaders[ 'cache-control' ] ).toContain( 'private' );
</span><span class="cx" style="display: block; padding: 0 10px"> } );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+ test(
+ 'Correct directives present in cache control header when not logged in on 404 page.',
+ async ( { browser }
+ ) => {
+ const context = await browser.newContext();
+ const loggedOutPage = await context.newPage();
+
+ const response = await loggedOutPage.goto( '/this-does-not-exist/' );
+ const responseHeaders = response.headers();
+ const responseStatus = response.status();
+
+ // Dispose context once it's no longer needed.
+ await context.close();
+
+ expect( responseStatus ).toBe( 404 );
+ expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-cache' );
+ expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-store' );
+ expect( responseHeaders[ 'cache-control' ] ).toContain( 'private' );
+ } );
</ins><span class="cx" style="display: block; padding: 0 10px"> } );
</span></span></pre>
</div>
</div>
</body>
</html>