Closed
Bug 1389635
Opened 7 years ago
Closed 7 years ago
Caching HTTP GET response even though Cache-Control settings include no-store
Categories
(Core :: Networking: Cache, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1318234
People
(Reporter: andrewlandry, Unassigned)
Details
(Keywords: privacy, Whiteboard: [necko-next])
Attachments
(1 file)
129.84 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Steps to reproduce: 1. Visit a page that contains no-store Cache-Control headers. My example is https://www.behance.net - login and click "Create a Project", which brings you to https://www.behance.net/portfolio/editor 2. View cache at about:cache-entry?storage=memory&context=&eid=&uri=https://www.behance.net/portfolio/editor Actual results: The entire response is cached in-memory - even though the Cache-Control headers are set to: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expected results: The response should not have been cached.
Updated•7 years ago
|
Group: core-security → network-core-security
Comment 1•7 years ago
|
||
It's possible we've interpreted "no-store" to mean not to write anything to disk, but keep it in memory for perf reasons. What do other browsers do?
Reporter | ||
Comment 2•7 years ago
|
||
Other browsers I tested don't store it in in-memory cache. The vulnerability is that if PII could be viewed with the cache viewer by the next user of a public computer if the user did not close Firefox at the end of their session.
Comment 3•7 years ago
|
||
This is known. And our no-store treatment will be discussed soon (I have it on the list) so that we may stop keeping it even in the memory cache.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [necko-next]
Reporter | ||
Comment 4•7 years ago
|
||
Excellent, thanks for the update!
Comment 5•7 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #3) > This is known. And our no-store treatment will be discussed soon Can this be duped to or depend-on some other bug? or is it just a literal "list" somewhere?
Flags: needinfo?(honzab.moz)
Updated•7 years ago
|
Group: network-core-security
Comment 6•7 years ago
|
||
I think the duplicate is bug 1318234
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(honzab.moz)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•