mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
07da73429a
Summary
=======
Currently there is no way to set "Cache-Control: no-store" header using
built-in cache control methods ("expires_now"/"expires_in"/etc..). One of
the [top StackOverflow][1] answers currently suggests putting it directly
into header set.
Unfortunately, it cannot later be overridden in specific/individual actions by
calling say 'expires_in 5.minutes'. Resulting header in that case is
stays the same, i.e. 'Cache-Control: no-store'.
This:
1. Adds the 'no_store' method to set "Cache-Control: no-store" header.
2. Changes cache control "merge and normalize" code so default "no-store"
directive can be overridden using built in cache control methods mentioned
above.
What's the use of it
--------------------
Couple examples:
* To [prevent rendering stale content][3] if browser return button is used
('expires_now' does not help).
* To prevent browser disk cache being used. In some situations it's considered
a [privacy/security risk][4].
Other Information
=================
Mozilla developer docs for [Cache-Control][2] header.
[1]: https://stackoverflow.com/questions/10744169/rails-set-no-cache-method-cannot-disable-browser-caching-in-safari-and-opera
[2]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
[3]: https://engineering.mixmax.com/blog/chrome-back-button-cache-no-store/
[4]: https://portswigger.net/kb/issues/00700100_cacheable-https-response
|
||
|---|---|---|
| .. | ||
| cache.rb | ||
| content_disposition.rb | ||
| content_security_policy.rb | ||
| filter_parameters.rb | ||
| filter_redirect.rb | ||
| headers.rb | ||
| mime_negotiation.rb | ||
| mime_type.rb | ||
| mime_types.rb | ||
| parameters.rb | ||
| permissions_policy.rb | ||
| rack_cache.rb | ||
| request.rb | ||
| response.rb | ||
| upload.rb | ||
| url.rb | ||