#34048 closed Cleanup/optimization (needsinfo)
Do not add cache control header if is set to false or a falsy value
| Reported by: | Wiktor | Owned by: | Wiktor |
|---|---|---|---|
| Component: | Utilities | Version: | dev |
| Severity: | Normal | Keywords: | cache control |
| Cc: | Wiktor, Jan Urban, Flavio Curella | Triage Stage: | Unreviewed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Currently when one sets no_cache to a falsy value, e.g.:
@cache_control(no_cache=False)
def some_view()
pass
Cache-Control header will be set to no_cache=False.
This might be confusing and might lead to a security issue.
Instead it should be just excluded.
Change History (9)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 3 years ago
| Cc: | added |
|---|---|
| Has patch: | set |
comment:4 by , 3 years ago
| Cc: | added |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | Bug → Cleanup/optimization |
comment:5 by , 3 years ago
| Cc: | added |
|---|
comment:6 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:7 by , 3 years ago
This ticket is about avoiding the possible misunderstanding of how no-cache works in browser.
This ticket should not change the functionality of no-cache header and the end result of the patch_cache_control and how the header is interpreted. (As far as I know)
Needs more verification and discussion, if we should lead the hand of others.
As mentioned as it could be security issue as well if the value is interpreted wrongly by the others.
I do not know how exactly the no-cache works and what are the conventions for it and best practice, but this sounded like it make it more explicit.
comment:8 by , 3 years ago
| Resolution: | → needsinfo |
|---|---|
| Status: | assigned → closed |
| Triage Stage: | Accepted → Unreviewed |
Closing as "needsinfo" as I'm not sure how this can create a security issue and why False should be treated differently. True always takes precedence over other values, so passing False will not override. On the other hand when no-cache is not set to True than the value is cast to string and added to the list of field names. Please provide more details.
comment:9 by , 3 years ago
Setting
no_cache = False cache_control(no_cache=no_cache)
will end up creating header
Cache-Control: no-cache=False
which is not intuitive and might lead to an unexpected caching behavior (thus I mentioned potential security issue). What I'd expect is an empty Cache-Control.
Cache-Control:
More context about no-cache could be found in RFC: https://www.rfc-editor.org/rfc/rfc7234#section-5.2.2.2
The "no-cache" response directive indicates that the response MUST
NOT be used to satisfy a subsequent request without successful
validation on the origin server. This allows an origin server to
prevent a cache from using it to satisfy a request without contacting
it, even by caches that have been configured to send stale responses.
[...]
For True it works as expected (it just adds Cache-Control: no-cache).
What do you suggest in that case? I understand that maybe the behavior should be changed for all the keyword arguments (True - turn them on, False - turn them off), however I find no-cache more sensitive.
PR: https://github.com/django/django/pull/16099