Geeks With Blogs
Tim Huffam Dotting the I and crossing the T of I.T.

If a user, using Firefox 3, signs out of a web site and does not close the browser, anyone else using that browser subsequently can view the content of pages loaded by the previous user (eg in an internet cafe, or any place where workstations are shared eg universities) - exposing private/confidential data.

This only affects HTTP post requests (not gets) and only Firefox version 3 - earlier versions (1.5, 2 etc), and IE, are not affected.
 
The main points are:
  • This is definately a bug:  a violation of RFC 2616, section 14.9 that states "The Cache-Control general-header field is used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain".
  • Some companies who deem this a significant hole in their security have chosen to block requests from Firefox 3 (eg they deem it their responsibility to secure their customers private and confidential data to the best of their ability).
  • This bug has been registered with the Mozilla dev team, but currently (as of 26 Sept 2008) has a status of unconfirmed.
Related links:

Tim

Posted on Friday, September 26, 2008 3:17 PM Off Topic , OS/Networking/Misc Apps , ASP.NET , PHP (incl PhpMyAdmin) , Web Development, JavaScript & CSS , ASP.NET AJAX | Back to top


Comments on this post: Firefox 3 ignores cache control http headers - security risk for online apps!

# re: Firefox 3 ignores cache control http headers - security risk for online apps!
Requesting Gravatar...
it now has a status of NEW (Nov 17 2008)
Left by status update on Nov 17, 2008 11:12 PM

# re: Firefox 3 ignores cache control http headers - security risk for online apps!
Requesting Gravatar...
FF3 ignores "cache-control" or "expires"/"pragma" headers inserted as <meta> on the web page

I had to modify headers from my HTTPServletResponse Object in my code server, but you have to do that on the right page lifecycle event.

I´m using Tapestry 5 in my web app and it doesn´t cache pages which implement next method:

//SetupRender is a method executed before Tapestry //Framework begins to render the page

@SetupRender
public void addHeaders() {
requestGlobals.getHTTPServletResponse().addHeader("Cache-Control", "no-cache");
requestGlobals.getHTTPServletResponse().addHeader("Cache-Control", "no-store");
requestGlobals.getHTTPServletResponse().addDateHeader("Expires", 0);
requestGlobals.getHTTPServletResponse().addHeader("Pragma", "no-cache");
}

Left by Jose on Sep 18, 2009 6:21 AM

# re: Firefox 3 ignores cache control http headers - security risk for online apps!
Requesting Gravatar...
Thanks for nice old post. even this is a very old post, but it still be useful for me. :)
Left by Learn Forex Trading on May 10, 2011 3:10 AM

Your comment:
 (will show your gravatar)


Copyright © Tim Huffam | Powered by: GeeksWithBlogs.net