Administration: Add the no-store and private directives to the Cache-Control header when preventing caching for logged in users.

johnbillion · johnbillion · commit 8d702842ce2c · 2023-06-21T18:25:40.000Z
The intention behind this change is to prevent sensitive data in responses for logged in users being cached and available to others, for example via the browser history after the user logs out. The `no-store` directive instructs caches in the browser or within proxies not to store the response in the cache. This is subtly different from the `no-cache` directive which means the response can be cached but must be revalidated before re-use. WordPress does not use ETag headers by default therefore this does not achieve the same result. The `private` directive complements the `no-store` directive by specifying that the response contains private information that should not be stored in a public cache. Som e proxy caches may ignore the `no-store` directive but respect the `private` directive, thus it is included. The existing `Cache-Control` header for users who are not logged in remains unchanged, and the existing cache prevention directives remain in place for backwards compatib ility. Props soulseekah, luehrsen, Dharm1025, markdoliner, rutviksavsani, ayeshrajans, paulkevan, clorith, andy786, johnbillion Fixes #21938, Fixes #57627 git-svn-id: https://develop.svn.wordpress.org/trunk@55968 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
@@ -1477,24 +1477,30 @@ function status_header( $code, $description = '' ) {
 }
 
 /**
- * Gets the header information to prevent caching.
+ * Gets the HTTP header information to prevent caching.
  *
  * The several different headers cover the different ways cache prevention
- * is handled by different browsers
+ * is handled by different browsers.
  *
  * @since 2.8.0
+ * @since 6.3.0 The `Cache-Control` header for logged in users now includes the
+ *              `no-store` and `private` directives.
  *
  * @return array The associative array of header names and field values.
  */
 function wp_get_nocache_headers() {
+	$cache_control = ( function_exists( 'is_user_logged_in' ) && is_user_logged_in() )
+		? 'no-cache, must-revalidate, max-age=0, no-store, private'
+		: 'no-cache, must-revalidate, max-age=0';
+
 	$headers = array(
 		'Expires'       => 'Wed, 11 Jan 1984 05:00:00 GMT',
-		'Cache-Control' => 'no-cache, must-revalidate, max-age=0',
+		'Cache-Control' => $cache_control,
 	);
 
 	if ( function_exists( 'apply_filters' ) ) {
 		/**
-		 * Filters the cache-controlling headers.
+		 * Filters the cache-controlling HTTP headers that are used to prevent caching.
 		 *
 		 * @since 2.8.0
 		 *
@@ -1509,7 +1515,7 @@ function wp_get_nocache_headers() {
 }
 
 /**
- * Sets the headers to prevent caching for the different browsers.
+ * Sets the HTTP headers to prevent caching for the different browsers.
  *
  * Different browsers support different nocache headers, so several
  * headers must be sent so that all of them get the point that no
@@ -1536,7 +1542,7 @@ function nocache_headers() {
 }
 
 /**
- * Sets the headers for caching for 10 days with JavaScript content type.
+ * Sets the HTTP headers for caching for 10 days with JavaScript content type.
  *
  * @since 2.1.0
  */
diff --git a/tests/e2e/specs/cache-control-headers-directives.test.js b/tests/e2e/specs/cache-control-headers-directives.test.js
@@ -0,0 +1,39 @@
+import {
+	visitAdminPage,
+	createNewPost,
+	trashAllPosts,
+	createURL,
+	logout,
+} from "@wordpress/e2e-test-utils";
+
+describe( 'Cache Control header directives', () => {
+
+	beforeEach( async () => {
+		await trashAllPosts();
+	} );
+
+	it( 'No private directive present in cache control when user not logged in.', async () => {
+		await createNewPost( {
+			title: 'Hello World',
+			post_status: 'publish',
+		} );
+		await logout();
+
+		const response = await page.goto( createURL( '/hello-world/' ) );
+		const cacheControl = response.headers();
+
+		expect( cacheControl[ 'cache-control' ] ).not.toContain( 'no-store' );
+		expect( cacheControl[ 'cache-control' ] ).not.toContain( 'private' );
+	} );
+
+	it( 'Private directive header present in cache control when logged in.', async () => {
+		await visitAdminPage( '/wp-admin' );
+
+		const response = await page.goto( createURL( '/wp-admin' ) );
+		const cacheControl = response.headers();
+
+		expect( cacheControl[ 'cache-control' ] ).toContain( 'no-store' );
+		expect( cacheControl[ 'cache-control' ] ).toContain( 'private' );
+	} );
+
+} );

Original file line number	Diff line number	Diff line change
`@@ -1477,24 +1477,30 @@ function status_header( $code, $description = '' ) {`
`1477`	`1477`	`}`
`1478`	`1478`
`1479`	`1479`	`/**`
`1480`		`- * Gets the header information to prevent caching.`
	`1480`	`+ * Gets the HTTP header information to prevent caching.`
`1481`	`1481`	`*`
`1482`	`1482`	`* The several different headers cover the different ways cache prevention`
`1483`		`- * is handled by different browsers`
	`1483`	`+ * is handled by different browsers.`
`1484`	`1484`	`*`
`1485`	`1485`	`* @since 2.8.0`
	`1486`	+ * @since 6.3.0 The `Cache-Control` header for logged in users now includes the
	`1487`	+ * `no-store` and `private` directives.
`1486`	`1488`	`*`
`1487`	`1489`	`* @return array The associative array of header names and field values.`
`1488`	`1490`	`*/`
`1489`	`1491`	`function wp_get_nocache_headers() {`
	`1492`	`+ $cache_control = ( function_exists( 'is_user_logged_in' ) && is_user_logged_in() )`
	`1493`	`+ ? 'no-cache, must-revalidate, max-age=0, no-store, private'`
	`1494`	`+ : 'no-cache, must-revalidate, max-age=0';`
	`1495`	`+`
`1490`	`1496`	`$headers = array(`
`1491`	`1497`	`'Expires' => 'Wed, 11 Jan 1984 05:00:00 GMT',`
`1492`		`- 'Cache-Control' => 'no-cache, must-revalidate, max-age=0',`
	`1498`	`+ 'Cache-Control' => $cache_control,`
`1493`	`1499`	`);`
`1494`	`1500`
`1495`	`1501`	`if ( function_exists( 'apply_filters' ) ) {`
`1496`	`1502`	`/**`
`1497`		`- * Filters the cache-controlling headers.`
	`1503`	`+ * Filters the cache-controlling HTTP headers that are used to prevent caching.`
`1498`	`1504`	`*`
`1499`	`1505`	`* @since 2.8.0`
`1500`	`1506`	`*`
`@@ -1509,7 +1515,7 @@ function wp_get_nocache_headers() {`
`1509`	`1515`	`}`
`1510`	`1516`
`1511`	`1517`	`/**`
`1512`		`- * Sets the headers to prevent caching for the different browsers.`
	`1518`	`+ * Sets the HTTP headers to prevent caching for the different browsers.`
`1513`	`1519`	`*`
`1514`	`1520`	`* Different browsers support different nocache headers, so several`
`1515`	`1521`	`* headers must be sent so that all of them get the point that no`
`@@ -1536,7 +1542,7 @@ function nocache_headers() {`
`1536`	`1542`	`}`
`1537`	`1543`
`1538`	`1544`	`/**`
`1539`		`- * Sets the headers for caching for 10 days with JavaScript content type.`
	`1545`	`+ * Sets the HTTP headers for caching for 10 days with JavaScript content type.`
`1540`	`1546`	`*`
`1541`	`1547`	`* @since 2.1.0`
`1542`	`1548`	`*/`