Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cache save(...) does not correctly handle no-cache directive #183

Open
Cooksauce opened this issue Jul 30, 2024 · 0 comments
Open

Cache save(...) does not correctly handle no-cache directive #183

Cooksauce opened this issue Jul 30, 2024 · 0 comments

Comments

@Cooksauce
Copy link

RFC: https://www.rfc-editor.org/rfc/rfc7234#section-5.2.2.2

The "no-cache" response directive indicates that the response MUST
NOT be used to satisfy a subsequent request without successful
validation on the origin server. This allows an origin server to
prevent a cache from using it to satisfy a request without contacting
it, even by caches that have been configured to send stale responses.

Problem Scenario:

  1. a previous response to a request had a cacheable cache-control header value... thus, has been stored via save(...)
  2. for some reason, this is no longer desired... so a change is made to is made to a subsequent response in which a no-cache value is in the response header
  3. when save(...) is called, it should have the effect of "busting" the originally cached value... the current implementation effectively no-ops here

Effect

In the most extreme case, this can lead to a significant security issue if the cache needs to be busted for security reasons.
(From testing, the Cloudflare caching "Purge Everything" UI functionality does not clear this.)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Cooksauce