diff options
author | Leif Åstrand <legioth@gmail.com> | 2017-11-10 17:11:03 +0200 |
---|---|---|
committer | Péter Török <31210544+torok-peter@users.noreply.github.com> | 2017-11-10 17:11:03 +0200 |
commit | 70219e5fa6a7beffbee5d2fd5814d9203512a06c (patch) | |
tree | 7cd862cdacb4aac9a97cb787f6c355ee5f265356 /server | |
parent | 81399671acfa10ff4da607b3a8aaaa7a155be972 (diff) | |
download | vaadin-framework-70219e5fa6a7beffbee5d2fd5814d9203512a06c.tar.gz vaadin-framework-70219e5fa6a7beffbee5d2fd5814d9203512a06c.zip |
Set no-store headers on UIDL messages
UIDL might contain sensitive information that we should prevent from
being stored anywhere.
Diffstat (limited to 'server')
-rw-r--r-- | server/src/main/java/com/vaadin/server/communication/UIInitHandler.java | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java index c2992fc29c..12a04c1509 100644 --- a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java +++ b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java @@ -109,9 +109,15 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler { // The response was produced without errors so write it to the client response.setContentType(JsonConstants.JSON_CONTENT_TYPE); - // Ensure that the browser does not cache UIDL responses. - // iOS 6 Safari requires this (#9732) - response.setHeader("Cache-Control", "no-cache"); + // Response might contain sensitive information, so prevent caching + // no-store to disallow storing even if cache would be revalidated + // must-revalidate to not use stored value even if someone asks for it + response.setHeader("Cache-Control", + "no-cache, no-store, must-revalidate"); + + // Also set legacy values in case of old proxies in between + response.setHeader("Pragma", "no-cache"); + response.setHeader("Expires", "0"); byte[] b = json.getBytes(UTF_8); response.setContentLength(b.length); |