Cache-Control in Meta-Tag is ignored in xslt

RESOLVED WONTFIX

Status

()

defect
RESOLVED WONTFIX
17 years ago
4 years ago

People

(Reporter: darin.moz, Unassigned)

Tracking

({privacy, sec-want})

Trunk
Future
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want])

>Issue details:
>On a secure connection, returned content includes 
>the following meta tags:
><meta HTTP-EQUIV="Expires" CONTENT="-1">
><meta HTTP-EQUIV="Cache-Control" CONTENT="no-
>cache, no-store">
>
>However, the page in question is stored in the 
>browser's cache, and it is possible for an 
>unauthorized user to navigate to it via the 
>browser's back button.

i'm not sure this needs to be security sensitive, but i'm filing it that way
just in case.
Severity: normal → critical
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.4beta
Summary: Cache-Control Meta-Tag Bug → Cache-Control in Meta-Tag is ignored
http://www.pacificnet.net/~johnr/meta.html has an interesting note on this about
IE behavor...
I cannot reproduce the "on a secure connection" part, we don't cache SSL pages. But we do ignore no-cache, no-store in meta tags. We do obey expires so we will reload pages that change often, but there is a potential privacy problem with storing the files locally.

Since this is a privacy issue rather than an exploit there's no need for the confidential flag. People can better protect themselves if this issue is known.
Group: security
Keywords: privacy
Whiteboard: [sg:want]
*** Bug 272857 has been marked as a duplicate of this bug. ***
-> reassign to default owner
Assignee: darin.moz → nobody
Status: ASSIGNED → NEW
I tested this bug on Firefox 2.0.0.11 and it seems it has been partially fixed. Firefox obeys meta tags, including CC: no-cache, no-store, must-revalidate and the likes, and their value overrides whichever value was set by a header.

**However** this is only valid for documents served as text/html. Firefox still seems to ignore meta tags in documents generated by its XSLT engine Transformiix.

Tested on
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008012904 Minefield/3.0b3pre
Duplicate of this bug: 430077
Old but good. Resetting some target flags, looking for a mentor. Bobby Holley, if you're willing to mentor this bug, I choo choo choose you.
Severity: critical → normal
Flags: needinfo?(bobbyholley)
Priority: P1 → --
Target Milestone: mozilla1.4beta → Future
(In reply to Mike Hoye [:mhoye] from comment #7)
> Old but good. Resetting some target flags, looking for a mentor. Bobby
> Holley, if you're willing to mentor this bug, I choo choo choose you.

I am not the right person to mentor this bug. I think you want someone who does more networking.
Flags: needinfo?(bobbyholley)
Component: Networking: HTTP → XSLT
Summary: Cache-Control in Meta-Tag is ignored → Cache-Control in Meta-Tag is ignored in xslt
We don't support cache-control meta tags at all anymore, and haven't in 5 years or so.  It's not in the spec, it's not really supported in other browsers, and we don't have plans to readd any sort of support.  See also bug 579846 and bug 629621.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.