Closed Bug 667257 Opened 10 years ago Closed 1 year ago

Create a "clear back/foward history for this site" API for use by "log out" buttons

Categories

(Core :: Security, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

Details

(Keywords: csectype-disclosure, sec-want, Whiteboard: [sg:want?])

The back button has always made "log out" buttons less than completely effective.  The workarounds all have significant usability drawbacks, so only the most sensitive sites use them (and users hate them for it).

* Force logged-in activities to happen in a new window, which JS can close.

* Use "cache-control: no-store", which makes the site slow and broken even when you haven't logged out.

* Do everything in one page, so no session history is created.

* Break session history entirely upon log out, e.g. by loading a hundred pages in a row (see bug 639952). Bug 567365 comment 25 claims that Facebook does something like this.

It would be better if sites could say "delete all session history entries for this site" when I log out.
Adding such an API would make it more palatable to fix bug 261312 and bug 639952.
Whiteboard: [sg:want?]
There was "Cache Contexts" IETF draft:

See
http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-why-the
http://datatracker.ietf.org/doc/draft-pettersen-cache-context/

I don't know why the process has stalled (those drafts are currently expired) but the idea seems solid to me.
Keywords: csec-disclosure

I think this was considered and implemented as part of https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.