593140 - Offline mode allows no-cache (potentially private) resources to be restored from bfcache

Status: RESOLVED WONTFIX

(Core :: Networking: Cache, defect)

Description

[Brandon Sterne (:bsterne)]

Attachment: PHP testcase

Bug 327790 was RESOLVED INVALID because it was determined that the reporter and bug commenters were using the incorrect HTTP headers to achieve the desired behavior (to stop bfcache from caching a resource).

It may be the case that bug 327790 has regressed because it doesn't appear possible to stop a bfcache'd resource from being accessible by going into Offline Mode and refreshing the tab.

Darin's caching FAQ [1] says that bfcache won't serve expired content, which implies that sites should be able to work around the Offline issue by sending an Expires header with a date in the past, but my testing showed that this method doesn't work.

A simple way to demonstrate this is to:
1) Login to Facebook
2) Logout of Facebook
3) Hit Back button (stays on login page)

1) Login to Facebook
2) Logout of Facebook
3) Check Offline Mode
4) Hit Back button (displays the cached home.php page)

I also attached a simple PHP testcase that I was using when experimenting with various combinations of headers.  Someone may find it useful.

It would be nice to fix Offline Mode so that no-cache resources are never displayed.

[1] http://www.mozilla.org/projects/netlib/http/http-caching-faq.html

Comment 1

[Brandon Sterne (:bsterne)]

CC'ing a couple of folks who might be able to help route this bug.

Comment 2

[Boris Zbarsky [:bzbarsky]]

This just needs an owner, right?

Comment 3

[Brandon Sterne (:bsterne)]

That would be most excellent.

Comment 4

[Jason Duell]

cc-ing Byron/bjarne in case either can take it at some point fairly soon.

Comment 6

[Brandon Sterne (:bsterne)]

Want to see if bsmith has any thoughts on this one.

Comment 7

[Patrick McManus [:mcmanus]]

no-cache is allowed in the bfcache now even online