From 70219e5fa6a7beffbee5d2fd5814d9203512a06c Mon Sep 17 00:00:00 2001 From: Leif Åstrand Date: Fri, 10 Nov 2017 17:11:03 +0200 Subject: Set no-store headers on UIDL messages UIDL might contain sensitive information that we should prevent from being stored anywhere. --- .../java/com/vaadin/server/communication/UIInitHandler.java | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'server') diff --git a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java index c2992fc29c..12a04c1509 100644 --- a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java +++ b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java @@ -109,9 +109,15 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler { // The response was produced without errors so write it to the client response.setContentType(JsonConstants.JSON_CONTENT_TYPE); - // Ensure that the browser does not cache UIDL responses. - // iOS 6 Safari requires this (#9732) - response.setHeader("Cache-Control", "no-cache"); + // Response might contain sensitive information, so prevent caching + // no-store to disallow storing even if cache would be revalidated + // must-revalidate to not use stored value even if someone asks for it + response.setHeader("Cache-Control", + "no-cache, no-store, must-revalidate"); + + // Also set legacy values in case of old proxies in between + response.setHeader("Pragma", "no-cache"); + response.setHeader("Expires", "0"); byte[] b = json.getBytes(UTF_8); response.setContentLength(b.length); -- cgit v1.2.3