[wp-trac] [WordPress Trac] #57627: The Cache-Control header for logged-in pages should include `private`

WordPress Trac noreply at wordpress.org
Wed Jun 21 18:25:55 UTC 2023 

#57627: The Cache-Control header for logged-in pages should include `private`
--------------------------------------+--------------------------
 Reporter:  markdoliner               |       Owner:  johnbillion
     Type:  defect (bug)              |      Status:  closed
 Priority:  normal                    |   Milestone:  6.3
Component:  Administration            |     Version:
 Severity:  normal                    |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests  |     Focuses:  privacy
--------------------------------------+--------------------------
Changes (by johnbillion):

 * status:  accepted => closed
 * resolution:   => fixed


Comment:

 In [changeset:"55968" 55968]:
 {{{
 #!CommitTicketReference repository="" revision="55968"
 Administration: Add the `no-store` and `private` directives to the `Cache-
 Control` header when preventing caching for logged in users.

 The intention behind this change is to prevent sensitive data in responses
 for logged in users being cached and available to others, for example via
 the browser history after the user logs out.

 The `no-store` directive instructs caches in the browser or within proxies
 not to store the response in the cache. This is subtly different from the
 `no-cache` directive which means the response can be cached but must be
 revalidated before re-use. WordPress does not use ETag headers by default
 therefore this does not achieve the same result.

 The `private` directive complements the `no-store` directive by specifying
 that the response contains private information that should not be stored
 in a public cache. Som
 e proxy caches may ignore the `no-store` directive but respect the
 `private` directive, thus it is included.

 The existing `Cache-Control` header for users who are not logged in
 remains unchanged, and the existing cache prevention directives remain in
 place for backwards compatib
 ility.

 Props soulseekah, luehrsen, Dharm1025, markdoliner, rutviksavsani,
 ayeshrajans, paulkevan, clorith, andy786, johnbillion

 Fixes #21938, Fixes #57627
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57627#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list