Cache-Control in Meta-Tag is ignored in xslt

RESOLVED WONTFIX

Status

()

defect
RESOLVED WONTFIX
16 years ago
3 years ago

People

(Reporter: darin.moz, Unassigned)

Tracking

({privacy, sec-want})

Trunk
Future
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want])

(Reporter)

Description

16 years ago
>Issue details:
>On a secure connection, returned content includes 
>the following meta tags:
><meta HTTP-EQUIV="Expires" CONTENT="-1">
><meta HTTP-EQUIV="Cache-Control" CONTENT="no-
>cache, no-store">
>
>However, the page in question is stored in the 
>browser's cache, and it is possible for an 
>unauthorized user to navigate to it via the 
>browser's back button.

i'm not sure this needs to be security sensitive, but i'm filing it that way
just in case.
(Reporter)

Updated

16 years ago
Severity: normal → critical
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.4beta

Updated

16 years ago
Summary: Cache-Control Meta-Tag Bug → Cache-Control in Meta-Tag is ignored

Comment 1

16 years ago
http://www.pacificnet.net/~johnr/meta.html has an interesting note on this about
IE behavor...
I cannot reproduce the "on a secure connection" part, we don't cache SSL pages. But we do ignore no-cache, no-store in meta tags. We do obey expires so we will reload pages that change often, but there is a potential privacy problem with storing the files locally.

Since this is a privacy issue rather than an exploit there's no need for the confidential flag. People can better protect themselves if this issue is known.
Group: security
Keywords: privacy
Whiteboard: [sg:want]
(Reporter)

Comment 3

13 years ago
*** Bug 272857 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 4

12 years ago
-> reassign to default owner
Assignee: darin.moz → nobody
Status: ASSIGNED → NEW

Comment 5

12 years ago
I tested this bug on Firefox 2.0.0.11 and it seems it has been partially fixed. Firefox obeys meta tags, including CC: no-cache, no-store, must-revalidate and the likes, and their value overrides whichever value was set by a header.

**However** this is only valid for documents served as text/html. Firefox still seems to ignore meta tags in documents generated by its XSLT engine Transformiix.

Tested on
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008012904 Minefield/3.0b3pre

Updated

11 years ago
Duplicate of this bug: 430077
Old but good. Resetting some target flags, looking for a mentor. Bobby Holley, if you're willing to mentor this bug, I choo choo choose you.
Severity: critical → normal
Flags: needinfo?(bobbyholley)
Priority: P1 → --
Target Milestone: mozilla1.4beta → Future
(In reply to Mike Hoye [:mhoye] from comment #7)
> Old but good. Resetting some target flags, looking for a mentor. Bobby
> Holley, if you're willing to mentor this bug, I choo choo choose you.

I am not the right person to mentor this bug. I think you want someone who does more networking.
Flags: needinfo?(bobbyholley)
Component: Networking: HTTP → XSLT
Summary: Cache-Control in Meta-Tag is ignored → Cache-Control in Meta-Tag is ignored in xslt
We don't support cache-control meta tags at all anymore, and haven't in 5 years or so.  It's not in the spec, it's not really supported in other browsers, and we don't have plans to readd any sort of support.  See also bug 579846 and bug 629621.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.