If a user, using Firefox 3, signs out of a web site and does not close the browser, anyone else using that browser subsequently can view the content of pages loaded by the previous user (eg in an internet cafe, or any place where workstations are shared eg universities) - exposing private/confidential data.
This only affects HTTP post requests (not gets) and only Firefox version 3 - earlier versions (1.5, 2 etc), and IE, are not affected.
The main points are:
- This is definately a bug: a violation of RFC 2616, section 14.9 that states "The Cache-Control general-header field is used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain".
- Some companies who deem this a significant hole in their security have chosen to block requests from Firefox 3 (eg they deem it their responsibility to secure their customers private and confidential data to the best of their ability).
- This bug has been registered with the Mozilla dev team, but currently (as of 26 Sept 2008) has a status of unconfirmed.
Related links:
Tim