Also set no-store when we set no-cache in response cache control headers (#22842)

John Luo · web-flow · commit ef9a3662d600 · 2020-06-11T20:38:54.000-07:00
diff --git a/src/Hosting/Hosting/src/GenericHost/GenericWebHostedService.cs b/src/Hosting/Hosting/src/GenericHost/GenericWebHostedService.cs
@@ -187,7 +187,8 @@ private RequestDelegate BuildErrorPageApplication(Exception exception)
             return context =>
             {
                 context.Response.StatusCode = 500;
-                context.Response.Headers[HeaderNames.CacheControl] = "no-cache";
+                context.Response.Headers[HeaderNames.CacheControl] = "no-cache,no-store";
+                context.Response.Headers[HeaderNames.Pragma] = "no-cache";
                 context.Response.ContentType = "text/html; charset=utf-8";
                 return errorPage.ExecuteAsync(context);
             };
diff --git a/src/Hosting/Hosting/src/Internal/WebHost.cs b/src/Hosting/Hosting/src/Internal/WebHost.cs
@@ -284,7 +284,8 @@ private RequestDelegate BuildApplication()
                 return context =>
                 {
                     context.Response.StatusCode = 500;
-                    context.Response.Headers[HeaderNames.CacheControl] = "no-cache";
+                    context.Response.Headers[HeaderNames.CacheControl] = "no-cache,no-store";
+                    context.Response.Headers[HeaderNames.Pragma] = "no-cache";
                     return errorPage.ExecuteAsync(context);
                 };
             }
diff --git a/src/Middleware/Diagnostics.EntityFrameworkCore/src/MigrationsEndPointMiddleware.cs b/src/Middleware/Diagnostics.EntityFrameworkCore/src/MigrationsEndPointMiddleware.cs
@@ -28,8 +28,8 @@ public class MigrationsEndPointMiddleware
         /// <param name="logger">The <see cref="Logger{T}"/> to write messages to.</param>
         /// <param name="options">The options to control the behavior of the middleware.</param>
         public MigrationsEndPointMiddleware(
-            RequestDelegate next, 
-            ILogger<MigrationsEndPointMiddleware> logger, 
+            RequestDelegate next,
+            ILogger<MigrationsEndPointMiddleware> logger,
             IOptions<MigrationsEndPointOptions> options)
         {
             if (next == null)
@@ -80,7 +80,7 @@ public virtual async Task Invoke(HttpContext context)
 
                         context.Response.StatusCode = (int)HttpStatusCode.NoContent;
                         context.Response.Headers.Add("Pragma", new[] { "no-cache" });
-                        context.Response.Headers.Add("Cache-Control", new[] { "no-cache" });
+                        context.Response.Headers.Add("Cache-Control", new[] { "no-cache,no-store" });
 
                         _logger.MigrationsApplied(db.GetType().FullName);
                     }
@@ -147,7 +147,7 @@ private static async Task WriteErrorToResponse(HttpResponse response, string err
         {
             response.StatusCode = (int)HttpStatusCode.BadRequest;
             response.Headers.Add("Pragma", new[] { "no-cache" });
-            response.Headers.Add("Cache-Control", new[] { "no-cache" });
+            response.Headers.Add("Cache-Control", new[] { "no-cache,no-store" });
             response.ContentType = "text/plain";
 
             // Padding to >512 to ensure IE doesn't hide the message
diff --git a/src/Middleware/Diagnostics/src/ExceptionHandler/ExceptionHandlerMiddleware.cs b/src/Middleware/Diagnostics/src/ExceptionHandler/ExceptionHandlerMiddleware.cs
@@ -153,7 +153,7 @@ private static void ClearHttpContext(HttpContext context)
         private static Task ClearCacheHeaders(object state)
         {
             var headers = ((HttpResponse)state).Headers;
-            headers[HeaderNames.CacheControl] = "no-cache";
+            headers[HeaderNames.CacheControl] = "no-cache,no-store";
             headers[HeaderNames.Pragma] = "no-cache";
             headers[HeaderNames.Expires] = "-1";
             headers.Remove(HeaderNames.ETag);
diff --git a/src/Middleware/Diagnostics/test/UnitTests/ExceptionHandlerTest.cs b/src/Middleware/Diagnostics/test/UnitTests/ExceptionHandlerTest.cs
@@ -164,9 +164,8 @@ public async Task ClearsResponseBuffer_BeforeRequestIsReexecuted()
                 Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
                 Assert.Equal(expectedResponseBody, await response.Content.ReadAsStringAsync());
                 IEnumerable<string> values;
-                Assert.True(response.Headers.TryGetValues("Cache-Control", out values));
-                Assert.Single(values);
-                Assert.Equal("no-cache", values.First());
+                Assert.True(response.Headers.CacheControl.NoCache);
+                Assert.True(response.Headers.CacheControl.NoStore);
                 Assert.True(response.Headers.TryGetValues("Pragma", out values));
                 Assert.Single(values);
                 Assert.Equal("no-cache", values.First());
@@ -214,9 +213,8 @@ public async Task ClearsCacheHeaders_SetByReexecutionPathHandlers()
                 Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
                 Assert.Equal(expectedResponseBody, await response.Content.ReadAsStringAsync());
                 IEnumerable<string> values;
-                Assert.True(response.Headers.TryGetValues("Cache-Control", out values));
-                Assert.Single(values);
-                Assert.Equal("no-cache", values.First());
+                Assert.True(response.Headers.CacheControl.NoCache);
+                Assert.True(response.Headers.CacheControl.NoStore);
                 Assert.True(response.Headers.TryGetValues("Pragma", out values));
                 Assert.Single(values);
                 Assert.Equal("no-cache", values.First());
diff --git a/src/Middleware/Session/src/SessionMiddleware.cs b/src/Middleware/Session/src/SessionMiddleware.cs
@@ -161,7 +161,7 @@ private void SetCookie()
                 response.Cookies.Append(_options.Cookie.Name, _cookieValue, cookieOptions);
 
                 var responseHeaders = response.Headers;
-                responseHeaders[HeaderNames.CacheControl] = "no-cache";
+                responseHeaders[HeaderNames.CacheControl] = "no-cache,no-store";
                 responseHeaders[HeaderNames.Pragma] = "no-cache";
                 responseHeaders[HeaderNames.Expires] = "-1";
             }
diff --git a/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs b/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs
@@ -17,6 +17,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
     public class CookieAuthenticationHandler : SignInAuthenticationHandler<CookieAuthenticationOptions>
     {
         private const string HeaderValueNoCache = "no-cache";
+        private const string HeaderValueNoCacheNoStore = "no-cache,no-store";
         private const string HeaderValueEpocDate = "Thu, 01 Jan 1970 00:00:00 GMT";
         private const string SessionIdClaim = "Microsoft.AspNetCore.Authentication.Cookies-SessionId";
 
@@ -374,7 +375,7 @@ protected async override Task HandleSignOutAsync(AuthenticationProperties proper
 
         private async Task ApplyHeaders(bool shouldRedirectToReturnUrl, AuthenticationProperties properties)
         {
-            Response.Headers[HeaderNames.CacheControl] = HeaderValueNoCache;
+            Response.Headers[HeaderNames.CacheControl] = HeaderValueNoCacheNoStore;
             Response.Headers[HeaderNames.Pragma] = HeaderValueNoCache;
             Response.Headers[HeaderNames.Expires] = HeaderValueEpocDate;
 
diff --git a/src/Security/Authentication/test/CookieTests.cs b/src/Security/Authentication/test/CookieTests.cs
@@ -138,6 +138,9 @@ public async Task SignInCausesDefaultCookieToBeCreated()
             Assert.DoesNotContain("; expires=", setCookie);
             Assert.DoesNotContain("; domain=", setCookie);
             Assert.DoesNotContain("; secure", setCookie);
+            Assert.True(transaction.Response.Headers.CacheControl.NoCache);
+            Assert.True(transaction.Response.Headers.CacheControl.NoStore);
+            Assert.Equal("no-cache", transaction.Response.Headers.Pragma.ToString());
         }
 
         [Fact]
diff --git a/src/SignalR/common/Http.Connections/src/Internal/Transports/ServerSentEventsServerTransport.cs b/src/SignalR/common/Http.Connections/src/Internal/Transports/ServerSentEventsServerTransport.cs
@@ -35,7 +35,8 @@ public ServerSentEventsServerTransport(PipeReader application, string connection
         public async Task ProcessRequestAsync(HttpContext context, CancellationToken token)
         {
             context.Response.ContentType = "text/event-stream";
-            context.Response.Headers[HeaderNames.CacheControl] = "no-cache";
+            context.Response.Headers[HeaderNames.CacheControl] = "no-cache,no-store";
+            context.Response.Headers[HeaderNames.Pragma] = "no-cache";
 
             // Make sure we disable all response buffering for SSE
             var bufferingFeature = context.Features.Get<IHttpResponseBodyFeature>();
diff --git a/src/SignalR/common/Http.Connections/test/ServerSentEventsTests.cs b/src/SignalR/common/Http.Connections/test/ServerSentEventsTests.cs
@@ -31,7 +31,8 @@ public async Task SSESetsContentType()
                 await sse.ProcessRequestAsync(context, context.RequestAborted);
 
                 Assert.Equal("text/event-stream", context.Response.ContentType);
-                Assert.Equal("no-cache", context.Response.Headers["Cache-Control"]);
+                Assert.Equal("no-cache,no-store", context.Response.Headers["Cache-Control"]);
+                Assert.Equal("no-cache", context.Response.Headers["Pragma"]);
             }
         }
 

Original file line number	Diff line number	Diff line change
`@@ -284,7 +284,8 @@ private RequestDelegate BuildApplication()`
`284`	`284`	`return context =>`
`285`	`285`	`{`
`286`	`286`	`context.Response.StatusCode = 500;`
`287`		`- context.Response.Headers[HeaderNames.CacheControl] = "no-cache";`
	`287`	`+ context.Response.Headers[HeaderNames.CacheControl] = "no-cache,no-store";`
	`288`	`+ context.Response.Headers[HeaderNames.Pragma] = "no-cache";`
`288`	`289`	`return errorPage.ExecuteAsync(context);`
`289`	`290`	`};`
`290`	`291`	`}`
Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ private static void ClearHttpContext(HttpContext context)`
`153`	`153`	`private static Task ClearCacheHeaders(object state)`
`154`	`154`	`{`
`155`	`155`	`var headers = ((HttpResponse)state).Headers;`
`156`		`- headers[HeaderNames.CacheControl] = "no-cache";`
	`156`	`+ headers[HeaderNames.CacheControl] = "no-cache,no-store";`
`157`	`157`	`headers[HeaderNames.Pragma] = "no-cache";`
`158`	`158`	`headers[HeaderNames.Expires] = "-1";`
`159`	`159`	`headers.Remove(HeaderNames.ETag);`
Original file line number	Diff line number	Diff line change
`@@ -161,7 +161,7 @@ private void SetCookie()`
`161`	`161`	`response.Cookies.Append(_options.Cookie.Name, _cookieValue, cookieOptions);`
`162`	`162`
`163`	`163`	`var responseHeaders = response.Headers;`
`164`		`- responseHeaders[HeaderNames.CacheControl] = "no-cache";`
	`164`	`+ responseHeaders[HeaderNames.CacheControl] = "no-cache,no-store";`
`165`	`165`	`responseHeaders[HeaderNames.Pragma] = "no-cache";`
`166`	`166`	`responseHeaders[HeaderNames.Expires] = "-1";`
`167`	`167`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies`
`17`	`17`	`public class CookieAuthenticationHandler : SignInAuthenticationHandler<CookieAuthenticationOptions>`
`18`	`18`	`{`
`19`	`19`	`private const string HeaderValueNoCache = "no-cache";`
	`20`	`+ private const string HeaderValueNoCacheNoStore = "no-cache,no-store";`
`20`	`21`	`private const string HeaderValueEpocDate = "Thu, 01 Jan 1970 00:00:00 GMT";`
`21`	`22`	`private const string SessionIdClaim = "Microsoft.AspNetCore.Authentication.Cookies-SessionId";`
`22`	`23`
`@@ -374,7 +375,7 @@ protected async override Task HandleSignOutAsync(AuthenticationProperties proper`
`374`	`375`
`375`	`376`	`private async Task ApplyHeaders(bool shouldRedirectToReturnUrl, AuthenticationProperties properties)`
`376`	`377`	`{`
`377`		`- Response.Headers[HeaderNames.CacheControl] = HeaderValueNoCache;`
	`378`	`+ Response.Headers[HeaderNames.CacheControl] = HeaderValueNoCacheNoStore;`
`378`	`379`	`Response.Headers[HeaderNames.Pragma] = HeaderValueNoCache;`
`379`	`380`	`Response.Headers[HeaderNames.Expires] = HeaderValueEpocDate;`
`380`	`381`
Original file line number	Diff line number	Diff line change
`@@ -138,6 +138,9 @@ public async Task SignInCausesDefaultCookieToBeCreated()`
`138`	`138`	`Assert.DoesNotContain("; expires=", setCookie);`
`139`	`139`	`Assert.DoesNotContain("; domain=", setCookie);`
`140`	`140`	`Assert.DoesNotContain("; secure", setCookie);`
	`141`	`+ Assert.True(transaction.Response.Headers.CacheControl.NoCache);`
	`142`	`+ Assert.True(transaction.Response.Headers.CacheControl.NoStore);`
	`143`	`+ Assert.Equal("no-cache", transaction.Response.Headers.Pragma.ToString());`
`141`	`144`	`}`
`142`	`145`
`143`	`146`	`[Fact]`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,8 @@ public ServerSentEventsServerTransport(PipeReader application, string connection`
`35`	`35`	`public async Task ProcessRequestAsync(HttpContext context, CancellationToken token)`
`36`	`36`	`{`
`37`	`37`	`context.Response.ContentType = "text/event-stream";`
`38`		`- context.Response.Headers[HeaderNames.CacheControl] = "no-cache";`
	`38`	`+ context.Response.Headers[HeaderNames.CacheControl] = "no-cache,no-store";`
	`39`	`+ context.Response.Headers[HeaderNames.Pragma] = "no-cache";`
`39`	`40`
`40`	`41`	`// Make sure we disable all response buffering for SSE`
`41`	`42`	`var bufferingFeature = context.Features.Get<IHttpResponseBodyFeature>();`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,8 @@ public async Task SSESetsContentType()`
`31`	`31`	`await sse.ProcessRequestAsync(context, context.RequestAborted);`
`32`	`32`
`33`	`33`	`Assert.Equal("text/event-stream", context.Response.ContentType);`
`34`		`- Assert.Equal("no-cache", context.Response.Headers["Cache-Control"]);`
	`34`	`+ Assert.Equal("no-cache,no-store", context.Response.Headers["Cache-Control"]);`
	`35`	`+ Assert.Equal("no-cache", context.Response.Headers["Pragma"]);`
`35`	`36`	`}`
`36`	`37`	`}`
`37`	`38`