Changeset 55968

Timestamp:

06/21/2023 06:25:40 PM (14 months ago)

Author:

johnbillion

Message:

Administration: Add the no-store and private directives to the Cache-Control header when preventing caching for logged in users.

The intention behind this change is to prevent sensitive data in responses for logged in users being cached and available to others, for example via the browser history after the user logs out.

The no-store directive instructs caches in the browser or within proxies not to store the response in the cache. This is subtly different from the no-cache directive which means the response can be cached but must be revalidated before re-use. WordPress does not use ETag headers by default therefore this does not achieve the same result.

The private directive complements the no-store directive by specifying that the response contains private information that should not be stored in a public cache. Som
e proxy caches may ignore the no-store directive but respect the private directive, thus it is included.

The existing Cache-Control header for users who are not logged in remains unchanged, and the existing cache prevention directives remain in place for backwards compatib
ility.

Props soulseekah, luehrsen, Dharm1025, markdoliner, rutviksavsani, ayeshrajans, paulkevan, clorith, andy786, johnbillion

Fixes #21938, Fixes #57627

Location:

trunk

Files:

• src/wp-includes/functions.php (modified) (3 diffs)
• tests/e2e/specs/cache-control-headers-directives.test.js (added)

trunk/src/wp-includes/functions.php

@@ -1478 +1478 @@
 
 /**
- * Gets the header information to prevent caching.
+ * Gets the header information to prevent caching.
  *
  * The several different headers cover the different ways cache prevention
- * is handled by different browsers
+ * is handled by different browsers
  *
  * @since 2.8.0
+
+
  *
  * @return array The associative array of header names and field values.
  */
 function wp_get_nocache_headers() {
+
+
+
+
     $headers = array(
         'Expires'       => 'Wed, 11 Jan 1984 05:00:00 GMT',
-        'Cache-Control' => 'no-cache, must-revalidate, max-age=0',
+        'Cache-Control' => ,
     );
 
     if ( function_exists( 'apply_filters' ) ) {
         /**
-         * Filters the cache-controlling headers.
+         * Filters the cache-controlling .
          *
          * @since 2.8.0
@@ -1510 +1516 @@
 
 /**
- * Sets the headers to prevent caching for the different browsers.
+ * Sets the headers to prevent caching for the different browsers.
  *
  * Different browsers support different nocache headers, so several
@@ -1537 +1543 @@
 
 /**
- * Sets the headers for caching for 10 days with JavaScript content type.
+ * Sets the headers for caching for 10 days with JavaScript content type.
  *
  * @since 2.1.0