diff options
| author | Daniel Axtens <daniel@axtens.net> | 2022-11-16 14:56:30 +1100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-16 04:56:30 +0100 |
| commit | 4d85c27d1adc83aadd219767dbdc7e17b05230b0 (patch) | |
| tree | 751ca03a6e6aeb6350f310bf2a597e766624f11e | |
| parent | ac7a29f06842b6ddb3e509a8eb61fffca3285a7d (diff) | |
Add 'private' to Cache-Control, match Rails expectations (#20608)
Several controlers set quite intricate Cache-Control headers in order to hopefully not be cached by any intermediate proxies or local caches. Unfortunately, these headers are processed by ActionDispatch::HTTP::Cache in a way that squashes and discards any values set alongside no-store other than private: https://github.com/rails/rails/blob/8015c2c2cf5c8718449677570f372ceb01318a32/actionpack/lib/action_dispatch/http/cache.rb#L207-L209 We want to preserve no-store on these responses, but we might as well remove parts that are going to be dropped anyway. As many of the endpoints in these controllers are private to a particular user, we should also add "private", which will be preserved alongside no-store.
| -rw-r--r-- | app/controllers/api/base_controller.rb | 2 | ||||
| -rw-r--r-- | app/controllers/auth/registrations_controller.rb | 2 | ||||
| -rw-r--r-- | app/controllers/oauth/authorizations_controller.rb | 2 | ||||
| -rw-r--r-- | app/controllers/settings/base_controller.rb | 2 |
4 files changed, 4 insertions, 4 deletions
diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb index 665425f29..defef0656 100644 --- a/app/controllers/api/base_controller.rb +++ b/app/controllers/api/base_controller.rb @@ -129,7 +129,7 @@ class Api::BaseController < ApplicationController end def set_cache_headers - response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' + response.headers['Cache-Control'] = 'private, no-store' end def disallow_unauthenticated_api_access? diff --git a/app/controllers/auth/registrations_controller.rb b/app/controllers/auth/registrations_controller.rb index 14e0d9a36..cd1c546b8 100644 --- a/app/controllers/auth/registrations_controller.rb +++ b/app/controllers/auth/registrations_controller.rb @@ -154,6 +154,6 @@ class Auth::RegistrationsController < Devise::RegistrationsController end def set_cache_headers - response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' + response.headers['Cache-Control'] = 'private, no-store' end end diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index bb5d639ce..45073c968 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -30,6 +30,6 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController end def set_cache_headers - response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' + response.headers['Cache-Control'] = 'private, no-store' end end diff --git a/app/controllers/settings/base_controller.rb b/app/controllers/settings/base_controller.rb index 8311538a5..8722fd64a 100644 --- a/app/controllers/settings/base_controller.rb +++ b/app/controllers/settings/base_controller.rb @@ -14,7 +14,7 @@ class Settings::BaseController < ApplicationController end def set_cache_headers - response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' + response.headers['Cache-Control'] = 'private, no-store' end def require_not_suspended! |