Closed Bug 328835 Opened 19 years ago Closed 18 years ago

no-cache pages are cached in memory cache, this is a privacy risk

Categories

(Core :: Networking: Cache, defect)

Product:
Core
Component:
Networking: Cache
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: spammable, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Pages with cache-control: no-cache and pragma: no-cache are cached in memory cache. These pages can be viewed in offline mode. Such pages should not be cached, or at least not be viewable from memory cache (RFC 2616 might allow them to be viewed by navigation, but not by click, see Opera's interpertation in article http://www.opera.com/support/search/supsearch.dml?index=82 Risk scenario: If internet banking is used on a public terminal, the customer's financial information is accessible by third parties with normal access to the terminal, even if the customer has logged out from his bank. Reproducible: Always Steps to Reproduce: 1. Open page with cache-control: no-cache, e.g. https://ibank.barclays.co.uk/olb/q/LoginMember.do 2. Choose File offline browsing 3. Enter about:cache in address bar/location 4. Choose Memory cache 5. Find and click relevant page entry (Ctrl-F to find LoginMember.do) 6. View info about page, e.g. 7. Click url, and the no-cache-page is displayed. Actual Results: The no-cache-page is dispalyed Expected Results: The page which the server has asked not be cached, should not have been displayed.
Version: unspecified → 1.5.0.x Branch
(In reply to comment #1) > I think this is INVALID. > http://www.mozilla.org/projects/netlib/http/http-caching-faq.html > and maybe bug 223000 > Good point. I agree that cache and history is different, and that this bug is invalid when it comes to the no-cache directive. However: I think Firefox should honour the no-store directive. As the comment from Darin Fisher in bug 223000 says: "To get the you desire, you need to send 'cache-control: no-store'." Firefox also stores pages with that directive. According to RFC 2616 sect 14.9.2 history buffers MAY store pages with no-store. http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2 I think Firefox should follow IE and Opera here, as there is a need for web servers to avoid that sensitive/personal data is cached. In addition it seems to me that about:cache goes further than history lists are supposed to, see RFC2616 sec 13.13 which implies that history lists are just for one session, and linked to preserving forward-back navigation. "User agents often have history mechanisms, such as "Back" buttons and history lists, which can be used to redisplay an entity retrieved earlier in a session."
Component: Security → Networking: Cache
Product: Firefox → Core
QA Contact: firefox → networking.cache
Version: 1.5.0.x Branch → 1.8 Branch
invalid per bug 261312 ?
(In reply to comment #2) > However: I think Firefox should honour the no-store directive. https://ibank.barclays.co.uk/olb/q/LoginMember.do, which you mentioned this bug's problem occurs in your comment #0, returns next headers, and the sent HTML doesn't contain <meta> tag(i.e. no cache related <meta http-equiv=...>). How can User Agent honour no-store request which server didn't request? > GET /olb/q/LoginMember.do HTTP/1.1 > Host: ibank.barclays.co.uk > > HTTP/1.x 200 OK > Date: Thu, 02 Mar 2006 01:08:00 GMT > Content-Length: 8177 > Content-Type: text/html > Pragma: No-cache > Cache-Control: no-cache > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Content-Language: en-GB
Thanks for links to similar bugs. To keep things tidy: Since the main issue is how the no-store directive should be honoured, whereas my initial bug report (and the example) was for the no-cache directive, I suggest the bug's status be set to INVALID, and that I enter the no-store problem in another bug report? Is that a good idea? I still think issue should be solved, but am a bit calmed by the point made by Darin Fisher in Bug 112564: "4- most users don't know anything of about:cache and moreover there is no UI for it. it is essentially only a development feature. i think we can live with allowing users to access no-store content saved in the memory cache via about:cache. think of it as a type of session history ;-)" https://bugzilla.mozilla.org/show_bug.cgi?id=112564#c45 To put things on the edge: Firefox goes for "privacy through obscurity". Snooping is only for computer enthusiasts (and criminals) :-)
See Bug 340041 for an example of the no-store issue. Is there enough info there to mark this INVALID?
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.