From 4d85c27d1adc83aadd219767dbdc7e17b05230b0 Mon Sep 17 00:00:00 2001 From: Daniel Axtens Date: Wed, 16 Nov 2022 14:56:30 +1100 Subject: Add 'private' to Cache-Control, match Rails expectations (#20608) Several controlers set quite intricate Cache-Control headers in order to hopefully not be cached by any intermediate proxies or local caches. Unfortunately, these headers are processed by ActionDispatch::HTTP::Cache in a way that squashes and discards any values set alongside no-store other than private: https://github.com/rails/rails/blob/8015c2c2cf5c8718449677570f372ceb01318a32/actionpack/lib/action_dispatch/http/cache.rb#L207-L209 We want to preserve no-store on these responses, but we might as well remove parts that are going to be dropped anyway. As many of the endpoints in these controllers are private to a particular user, we should also add "private", which will be preserved alongside no-store. --- app/controllers/oauth/authorizations_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/oauth/authorizations_controller.rb') diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index bb5d639ce..45073c968 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -30,6 +30,6 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController end def set_cache_headers - response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' + response.headers['Cache-Control'] = 'private, no-store' end end -- cgit From 4ae97a2e4c4bea850c95a523e84e0424e7c18ffd Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 17 Nov 2022 21:31:52 +0100 Subject: Fix OAuth flow being broken by recent CSP change (#20958) --- app/controllers/oauth/authorizations_controller.rb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'app/controllers/oauth/authorizations_controller.rb') diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index 45073c968..5449cfb1a 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -7,6 +7,10 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController before_action :authenticate_resource_owner! before_action :set_cache_headers + content_security_policy do |p| + p.form_action(false) + end + include Localized private -- cgit