Set no-store headers on UIDL messages (#10308)

author Olli Tietäväinen <ollit@vaadin.com>

Mon, 13 Nov 2017 07:16:25 +0000 (09:16 +0200)

committer GitHub <noreply@github.com>

Mon, 13 Nov 2017 07:16:25 +0000 (09:16 +0200)
author Olli Tietäväinen <ollit@vaadin.com>
Mon, 13 Nov 2017 07:16:25 +0000 (09:16 +0200)
committer GitHub <noreply@github.com>
Mon, 13 Nov 2017 07:16:25 +0000 (09:16 +0200)
diff --git a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java

index 9ef63c31386db9ebe68898aa8641d3f65294e9e2..1416faa2ce8ec618f91d7030711982d776fab245 100644 (file)
--- a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java
+++ b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java
@@ -107,9 +107,15 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler {
          // The response was produced without errors so write it to the client
          response.setContentType(JsonConstants.JSON_CONTENT_TYPE);
  
-        // Ensure that the browser does not cache UIDL responses.
-        // iOS 6 Safari requires this (#9732)
-        response.setHeader("Cache-Control", "no-cache");
+        // Response might contain sensitive information, so prevent caching
+        // no-store to disallow storing even if cache would be revalidated
+        // must-revalidate to not use stored value even if someone asks for it
+        response.setHeader("Cache-Control",
+                "no-cache, no-store, must-revalidate");
+
+        // Also set legacy values in case of old proxies in between
+        response.setHeader("Pragma", "no-cache");
+        response.setHeader("Expires", "0");
  
          byte[] b = json.getBytes("UTF-8");
          response.setContentLength(b.length);
author	Olli Tietäväinen <ollit@vaadin.com>
	Mon, 13 Nov 2017 07:16:25 +0000 (09:16 +0200)
committer	GitHub <noreply@github.com>
	Mon, 13 Nov 2017 07:16:25 +0000 (09:16 +0200)