[wp-trac] [WordPress Trac] #21938: Add "no-store" to Cache-Control header to prevent history caching of admin resources

WordPress Trac noreply at wordpress.org
Thu Aug 24 19:09:25 UTC 2023 

#21938: Add "no-store" to Cache-Control header to prevent history caching of admin
resources
-------------------------------------------------+-------------------------
 Reporter:  soulseekah                           |       Owner:
                                                 |  johnbillion
     Type:  enhancement                          |      Status:  closed
 Priority:  normal                               |   Milestone:  6.3
Component:  Administration                       |     Version:  3.4
 Severity:  normal                               |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests has-dev-    |     Focuses:
  note                                           |  performance, privacy
-------------------------------------------------+-------------------------

Comment (by westonruter):

 Coincidentally, I've been looking into removing use of the `unload` event
 (#55491) because Chrome intends to [https://developer.chrome.com/blog
 /deprecating-unload/ deprecate it], and more importantly because
 [https://web.dev/bfcache/#never-use-the-unload-event it prevents bfcache].
 But something else that blocks bfcache is `Cache-Control: no-store`, which
 this ticket is all about. Adding `no-store` wouldn't have caused any
 performance regression in the admin in 6.3 because `wp-heartbeat` uses the
 `unload` event. However, with this removed, the introduction of `no-store`
 holds back the performance of page navigations in the admin ''and'' the
 frontend by disabling bfcache.

 The question I have is whether the increase to security/privacy by
 disabling bfcache for logged-in users is worth the performance hit for the
 80% of users. If not, perhaps adding `no-store` should be a
 privacy/security enhancement that site owners install via a plugin when a
 site is accessed by users who use shared computers? Alternatively, perhaps
 `no-store` should only be used by default when a user does not check the
 "remember me" checkbox when logging-in?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/21938#comment:47>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list