From 1051b3c326db84dad9242356fab251676618314b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Olli=20Tiet=C3=A4v=C3=A4inen?= Date: Mon, 13 Nov 2017 09:16:25 +0200 Subject: [PATCH] Set no-store headers on UIDL messages (#10308) UIDL might contain sensitive information that we should prevent from being stored anywhere. --- .../vaadin/server/communication/UIInitHandler.java | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java index 9ef63c3138..1416faa2ce 100644 --- a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java +++ b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java @@ -107,9 +107,15 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler { // The response was produced without errors so write it to the client response.setContentType(JsonConstants.JSON_CONTENT_TYPE); - // Ensure that the browser does not cache UIDL responses. - // iOS 6 Safari requires this (#9732) - response.setHeader("Cache-Control", "no-cache"); + // Response might contain sensitive information, so prevent caching + // no-store to disallow storing even if cache would be revalidated + // must-revalidate to not use stored value even if someone asks for it + response.setHeader("Cache-Control", + "no-cache, no-store, must-revalidate"); + + // Also set legacy values in case of old proxies in between + response.setHeader("Pragma", "no-cache"); + response.setHeader("Expires", "0"); byte[] b = json.getBytes("UTF-8"); response.setContentLength(b.length); -- 2.39.5