Add Clear-Site-Data header

This adds a Clear-Site-Data header to the logout response which will delete all relevant data in the caches which may contain potentially sensitive content. See https://w3c.github.io/webappsec-clear-site-data/#header for the definition of the types. Ref https://twitter.com/mikewest/status/877149667909406723 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
author: Lukas Reschke <lukas@statuscode.ch> 2017-06-20 19:46:10 +0200
committer: Lukas Reschke <lukas@statuscode.ch> 2017-06-20 19:46:10 +0200
commit: 2f87fb6b456fd109c90a5093c31b7a3f62a32040 (patch)
tree: f79268ca6d160027fde21b9643789ec2ca31bcc2 /core
parent: 60edf2f18ab40439e2efb1d20e594f2797b6f31b (diff)
download: nextcloud-server-2f87fb6b456fd109c90a5093c31b7a3f62a32040.tar.gz
nextcloud-server-2f87fb6b456fd109c90a5093c31b7a3f62a32040.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index 93b695dd999..1c75b1f3c8b 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -107,7 +107,9 @@ class LoginController extends Controller {
 		}
 		$this->userSession->logout();
 
-		return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));
+		$response = new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));
+		$response->addHeader('Clear-Site-Data', '"cache", "cookies", "storage", "executionContexts"');
+		return $response;
 	}
 
 	/**
author	Lukas Reschke <lukas@statuscode.ch>	2017-06-20 19:46:10 +0200
committer	Lukas Reschke <lukas@statuscode.ch>	2017-06-20 19:46:10 +0200
commit	2f87fb6b456fd109c90a5093c31b7a3f62a32040 (patch)
tree	f79268ca6d160027fde21b9643789ec2ca31bcc2 /core
parent	60edf2f18ab40439e2efb1d20e594f2797b6f31b (diff)
download	nextcloud-server-2f87fb6b456fd109c90a5093c31b7a3f62a32040.tar.gz nextcloud-server-2f87fb6b456fd109c90a5093c31b7a3f62a32040.zip