[wp-trac] [WordPress Trac] #16612: WordPress should return nocache headers for requests with comment cookies

WordPress Trac wp-trac at lists.automattic.com
Mon Feb 21 22:46:15 UTC 2011


#16612: WordPress should return nocache headers for requests with comment cookies
--------------------------+------------------------------
 Reporter:  barry         |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  General       |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |
--------------------------+------------------------------
Description changed by barry:

Old description:

> Most themes, when displaying the comment form, change the HTML to pre-
> fill username, email address, and website when comment cookies are
> received in the HTTP request.  Since the response does not have explicit
> nocache headers, per RFC2616 (http://www.ietf.org/rfc/rfc2616.txt)
> intermediate caches can use heuristics to determine the cache TTL for the
> response.  Since there is 0 freshness data in the response, it is not
> really possible to perform good heuristics, but in practice, caches will
> assign a default TTL to this type of response.  The result is that
> private information input by user A when submitting a comment can be
> returned to user B when making a request for the same URL.
>
> To protect ourselves against this, we should call nocache_headers() when
> comment cookies are sent and the comment form is being displayed.
> Alternatively, we can send nocache headers for all requests with comment
> cookies regardless of the content form being displayed or not (probably
> easier and maybe safer).
>
> http://humboldtherald.wordpress.com/2011/01/27/gremlins/ is a story
> likely caused by an aggressive cache and the lack of nocache headers.

New description:

 Most themes, when displaying the comment form, change the HTML to pre-fill
 username, email address, and website when comment cookies are received in
 the HTTP request.  Since the response does not have explicit nocache
 headers, per RFC2616 (http://www.ietf.org/rfc/rfc2616.txt) intermediate
 caches can use heuristics to determine the cache TTL for the response.
 Since there is 0 freshness data in the response, it is not really possible
 to perform good heuristics, but in practice, caches will assign a default
 TTL to this type of response.  The result is that private information
 input by user A when submitting a comment can be returned to user B when
 making a request for the same URL.

 To protect ourselves against this, we should call nocache_headers() when
 comment cookies are sent and the comment form is being displayed.
 Alternatively, we can send nocache headers for all requests with comment
 cookies regardless of the comment form being displayed or not (probably
 easier and maybe safer).

 http://humboldtherald.wordpress.com/2011/01/27/gremlins/ is a story likely
 caused by an aggressive cache and the lack of nocache headers.

--

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/16612#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list