Offline mode allows no-cache (potentially private) resources to be restored from bfcache




9 years ago
3 years ago


(Reporter: bsterne, Unassigned)



Firefox Tracking Flags

(Not tracked)



(1 attachment)



9 years ago
Created attachment 471612 [details]
PHP testcase

Bug 327790 was RESOLVED INVALID because it was determined that the reporter and bug commenters were using the incorrect HTTP headers to achieve the desired behavior (to stop bfcache from caching a resource).

It may be the case that bug 327790 has regressed because it doesn't appear possible to stop a bfcache'd resource from being accessible by going into Offline Mode and refreshing the tab.

Darin's caching FAQ [1] says that bfcache won't serve expired content, which implies that sites should be able to work around the Offline issue by sending an Expires header with a date in the past, but my testing showed that this method doesn't work.

A simple way to demonstrate this is to:
1) Login to Facebook
2) Logout of Facebook
3) Hit Back button (stays on login page)

1) Login to Facebook
2) Logout of Facebook
3) Check Offline Mode
4) Hit Back button (displays the cached home.php page)

I also attached a simple PHP testcase that I was using when experimenting with various combinations of headers.  Someone may find it useful.

It would be nice to fix Offline Mode so that no-cache resources are never displayed.


Comment 1

9 years ago
CC'ing a couple of folks who might be able to help route this bug.
This just needs an owner, right?

Comment 3

9 years ago
That would be most excellent.

Comment 4

9 years ago
cc-ing Byron/bjarne in case either can take it at some point fairly soon.
Duplicate of this bug: 340041

Comment 6

7 years ago
Want to see if bsmith has any thoughts on this one.
no-cache is allowed in the bfcache now even online
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.