From: Leif Åstrand <legioth@gmail.com>
Date: Fri, 10 Nov 2017 15:11:03 +0000 (+0200)
Subject: Set no-store headers on UIDL messages
X-Git-Tag: 8.2.0.alpha3~9
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=70219e5fa6a7beffbee5d2fd5814d9203512a06c;p=vaadin-framework.git

Set no-store headers on UIDL messages

UIDL might contain sensitive information that we should prevent from
being stored anywhere.
---

diff --git a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java
index c2992fc29c..12a04c1509 100644
--- a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java
+++ b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java
@@ -109,9 +109,15 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler {
         // The response was produced without errors so write it to the client
         response.setContentType(JsonConstants.JSON_CONTENT_TYPE);
 
-        // Ensure that the browser does not cache UIDL responses.
-        // iOS 6 Safari requires this (#9732)
-        response.setHeader("Cache-Control", "no-cache");
+        // Response might contain sensitive information, so prevent caching
+        // no-store to disallow storing even if cache would be revalidated
+        // must-revalidate to not use stored value even if someone asks for it
+        response.setHeader("Cache-Control",
+                "no-cache, no-store, must-revalidate");
+
+        // Also set legacy values in case of old proxies in between
+        response.setHeader("Pragma", "no-cache");
+        response.setHeader("Expires", "0");
 
         byte[] b = json.getBytes(UTF_8);
         response.setContentLength(b.length);