#34048 closed Cleanup/optimization (needsinfo)
Do not add cache control header if is set to false or a falsy value
Reported by: | Wiktor | Owned by: | Wiktor |
---|---|---|---|
Component: | Utilities | Version: | dev |
Severity: | Normal | Keywords: | cache control |
Cc: | Wiktor, Jan Urban, Flavio Curella | Triage Stage: | Unreviewed |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Currently when one sets no_cache to a falsy value, e.g.:
@cache_control(no_cache=False) def some_view() pass
Cache-Control header will be set to no_cache=False.
This might be confusing and might lead to a security issue.
Instead it should be just excluded.
Change History (9)
comment:1 by , 2 years ago
comment:2 by , 2 years ago
Description: | modified (diff) |
---|
comment:3 by , 2 years ago
Cc: | added |
---|---|
Has patch: | set |
comment:4 by , 2 years ago
Cc: | added |
---|---|
Triage Stage: | Unreviewed → Accepted |
Type: | Bug → Cleanup/optimization |
comment:5 by , 2 years ago
Cc: | added |
---|
comment:6 by , 2 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:7 by , 2 years ago
This ticket is about avoiding the possible misunderstanding of how no-cache
works in browser.
This ticket should not change the functionality of no-cache
header and the end result of the patch_cache_control
and how the header is interpreted. (As far as I know)
Needs more verification and discussion, if we should lead the hand of others.
As mentioned as it could be security issue as well if the value is interpreted wrongly by the others.
I do not know how exactly the no-cache
works and what are the conventions for it and best practice, but this sounded like it make it more explicit.
comment:8 by , 2 years ago
Resolution: | → needsinfo |
---|---|
Status: | assigned → closed |
Triage Stage: | Accepted → Unreviewed |
Closing as "needsinfo" as I'm not sure how this can create a security issue and why False
should be treated differently. True
always takes precedence over other values, so passing False
will not override. On the other hand when no-cache
is not set to True
than the value is cast to string and added to the list of field names. Please provide more details.
comment:9 by , 2 years ago
Setting
no_cache = False cache_control(no_cache=no_cache)
will end up creating header
Cache-Control: no-cache=False
which is not intuitive and might lead to an unexpected caching behavior (thus I mentioned potential security issue). What I'd expect is an empty Cache-Control
.
Cache-Control:
More context about no-cache could be found in RFC: https://www.rfc-editor.org/rfc/rfc7234#section-5.2.2.2
The "no-cache" response directive indicates that the response MUST
NOT be used to satisfy a subsequent request without successful
validation on the origin server. This allows an origin server to
prevent a cache from using it to satisfy a request without contacting
it, even by caches that have been configured to send stale responses.
[...]
For True
it works as expected (it just adds Cache-Control: no-cache
).
What do you suggest in that case? I understand that maybe the behavior should be changed for all the keyword arguments (True - turn them on, False - turn them off), however I find no-cache
more sensitive.
PR: https://github.com/django/django/pull/16099