IE does not comply with no-store directive

D

David Hay

IE does not seem to conform to the cache-control: no-store directive as
defined in RFC 2068.

The RFC says:

The purpose of the no-store directive is to prevent the inadvertent release
or retention of sensitive information (for example, on backup tapes). The
no-store directive applies to the entire message, and may be sent either in
a response or in a request. If sent in a request, a cache MUST NOT store any
part of either this request or any response to it. If sent in a response, a
cache MUST NOT store any part of either this response or the request that
elicited it.

When a form is posted to a page that responds with the no-store directive,
IE does not cache the response page (good), but a user can refresh the page
and IE will post the original form data used to request the page (bad).
This later behaviour does not conform with the RFC because IE has cached the
request that elicited the page.

Has anyone had any experience with this behaviour, or have I missed the
point of the RFC?

David
 
L

L.C.

The behaviour described does not contradict the RFC.
In your case you are only sending no-store in a response,
and not a request.

In order for no-store to appear in a request, the browser
would have to generate it. A "no-store" request would only
apply to intermediary caches by preventing them from storing
the request data. It does not apply to the client who decides
to generate it anymore than the request directive affects
the page returning it.
 
D

David Hay

I disagree with this. While no-store can be in either a request or response
header, the RFC is very explicit about it applying to both the request and
response, regardless of whether it appears in the request or response. Read
again what I quoted below from section 14.9.2 of RFC 2068 (HTTP 1.1).
Specifically: "If sent in a response, a cache MUST NOT store any part of
either this response or the request that elicited it."

This includes the browser cache, not just intermediate caches. If I add
no-cache to a response page, IE does force the page to be re-requested from
the server, so it has realized no-cache means don't store the page in it's
cache, but it does send the original request data again - which is what the
RFC says it should not do. If the request was a login page with
userid/password, or a page with a credit card number, this could be a
serious risk.

David
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Caching of aspx pages - Firefox does - IE NOT 3
IE 6. Disable client certificate caching in SSL State 1
IE Fails to Cache when using HTTP VARY header 1
inconsistent response to http post request in .net proxy 5
Http requests problem 1
IE caching pages it shouldn't 2
Force cache of HTTPS? 1
IE has encountered a disaster... 1

Top