Closed Bug 302707 Opened 19 years ago Closed 19 years ago

page with no-cache directive reloads from cache when using back if Content-Length Header omitted

Categories

(Firefox :: Bookmarks & History, defect)

Product:
Firefox
Component:
Bookmarks & History
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 176014

People

(Reporter: rallen, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

If the http header does not include the Content-Length header the no-cache
directive is disregarded.

My site is 90% dynamically generated pages so I do not calculate the size of the
document for most pages.  

My http headers include both Pragma: no-cache and Cache-control: no-cache yet
when I use the back button the page is loaded from cache, not my server.
However, when I insert a bogus large Content-Length value into the header it
causes the page to be loaded from the server.

I do not believe that Content-Length should affect the cache directives.

Reproducible: Always

Steps to Reproduce:
1.Load a page with Pragma: no-cache and Cache-control: no-cache and no
Content-Length
2.Go to another page.
3.Use back to return to first page - it is loaded from cache.
4.Repeat with Content-Length in header



Expected Results:  
Pragma: no-cache and Cache-control: no-cache should always cause the browser to
ask for the page from the server.
Can you attach HTTP header log by LiveHTTPHeaders?
(1)Install LiveHTTPHeaders ( http://livehttpheaders.mozdev.org/index.html )
(2)Clear cache, Start Live HTTP Headers(thru Tools menu)
(3-1)Load the URL
(3-2)Save HTTP log by Live HTTP Headers
(3-3)Check cache entries thru about:cache
     Save "List Cache Entries" display of both momory cache and disk cache
     (about:cache?device=memory and about:cache?device=disk)
(4)Close about:cache tab
(5)Go other URL
(6)Clear Live HTTP Header log entries
(7-1)Do "Back"
(7-2)Save HTTP log by Live HTTP Headers
Attach data obtained at (3-2),(3-3),(7-2) for both "no content-length header"
case and "bogus large content-length header" case.

And describe about your cache related settings of preference, please.
(Especially about "Compare the page in the cache to the page on network")

If your site can be opened to public, let us to know the URL for problem
recreation test by other people.
Our behaviour is valid according to RFC 2616 section 13.13 (no-cache should not
affect session history). If you really want FF not to store the page (even for
session history), use Cache-Control: no-store.

*** This bug has been marked as a duplicate of 176014 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
"If you really want FF not to store the page (even for session history), use Cache-Control: no-store."

My online medical application includes password protected, confidential dynamic content. It is vital that cache storage be disabled in all browsers so that when a page times out, someone cannot come along and back up to confidential information. My header works to block cache storage for all browsers except FF and Camino, where I cannot disable cache, and this is a real problem. Here is my header statement; I would really appreciate knowing what I am doing wrong:

<meta http-equiv="Expires" content="Tue, 04-Dec-1993 21:29:02 GMT">
<meta http-equiv="Last Modified"
        CONTENT="Mon, 04-Dec-2006 21:29:02 GMT" >
<meta http-equiv="Cache-Control"
        CONTENT="no-store, no-cache, must-revalidate, max-age=0">
<meta-http-equiv="Cache-Control" content="no-store">
<meta http-equiv="Cache-Control"
        CONTENT="post-check=0, pre-check=0", false>
<meta http-equiv="Pragma" CONTENT="no-cache">
(In reply to comment #3)
> <meta http-equiv="Expires" content="Tue, 04-Dec-1993 21:29:02 GMT">
> <meta http-equiv="Last Modified"
>        CONTENT="Mon, 04-Dec-2006 21:29:02 GMT" >
> <meta http-equiv="Cache-Control"
>         CONTENT="no-store, no-cache, must-revalidate, max-age=0">
> <meta-http-equiv="Cache-Control" content="no-store">
> <meta http-equiv="Cache-Control"
>         CONTENT="post-check=0, pre-check=0", false>
> <meta http-equiv="Pragma" CONTENT="no-cache">

(1) <meta http-equiv> is an alternative when no HTTP header is sent by the server.
This is requested by RFC, but some other browsers ignore the RFC.
And, as usual, MS's browser is perhaps included in who ignores RFC... :-)
See real HTTP headers sent by your server using LiveHTTPHeaders. 

(2) I don't know what should be done when multiple headers are sent for same option or multple parameters are specified for same option.
 e.g. both "Cache-Control: no-cache" and "Cache-Control: no-store" are sent,
      both no-store and max-age=xxx are specified on a "Cache-Control:" header.
Read RFCs for irregular case, before request/specify multiple headers/multiple parameters for same option.
See http://www.w3.org/Protocols/ for HTTP.
Component: History → Bookmarks & History
QA Contact: history → bookmarks
You need to log in before you can comment on or make changes to this bug.