Administration: Add the no-store and private directives to the Cache-Control header when preventing caching for logged in users.

The intention behind this change is to prevent sensitive data in responses for logged in users being cached and available to others, for example via the browser history after the user logs out. The `no-store` directive instructs caches in the browser or within proxies not to store the response in the cache. This is subtly different from the `no-cache` directive which means the response can be cached but must be revalidated before re-use. WordPress does not use ETag headers by default therefore this does not achieve the same result. The `private` directive complements the `no-store` directive by specifying that the response contains private information that should not be stored in a public cache. Som e proxy caches may ignore the `no-store` directive but respect the `private` directive, thus it is included. The existing `Cache-Control` header for users who are not logged in remains unchanged, and the existing cache prevention directives remain in place for backwards compatib ility. Props soulseekah, luehrsen, Dharm1025, markdoliner, rutviksavsani, ayeshrajans, paulkevan, clorith, andy786, johnbillion Fixes #21938, Fixes #57627 Built from https://develop.svn.wordpress.org/trunk@55968 git-svn-id: http://core.svn.wordpress.org/trunk@55480 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-26 06:45:07 +02:00 · 2023-06-21 18:27:18 +00:00 · 2023-06-21 18:27:18 +00:00 · aa05fbf5f5
commit aa05fbf5f5
parent a686156945
2 changed files with 13 additions and 7 deletions
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@ -1477,24 +1477,30 @@ function status_header( $code, $description = '' ) {
 }

 /**
- * Gets the header information to prevent caching.
+ * Gets the HTTP header information to prevent caching.
 *
 * The several different headers cover the different ways cache prevention
- * is handled by different browsers
+ * is handled by different browsers.
 *
 * @since 2.8.0
+ * @since 6.3.0 The `Cache-Control` header for logged in users now includes the
+ *              `no-store` and `private` directives.
 *
 * @return array The associative array of header names and field values.
 */
 function wp_get_nocache_headers() {
+	$cache_control = ( function_exists( 'is_user_logged_in' ) && is_user_logged_in() )
+		? 'no-cache, must-revalidate, max-age=0, no-store, private'
+		: 'no-cache, must-revalidate, max-age=0';
+
 	$headers = array(
 		'Expires'       => 'Wed, 11 Jan 1984 05:00:00 GMT',
-		'Cache-Control' => 'no-cache, must-revalidate, max-age=0',
+		'Cache-Control' => $cache_control,
 	);

 	if ( function_exists( 'apply_filters' ) ) {
 		/**
-		 * Filters the cache-controlling headers.
+		 * Filters the cache-controlling HTTP headers that are used to prevent caching.
 		 *
 		 * @since 2.8.0
 		 *
@ -1509,7 +1515,7 @@ function wp_get_nocache_headers() {
 }

 /**
- * Sets the headers to prevent caching for the different browsers.
+ * Sets the HTTP headers to prevent caching for the different browsers.
 *
 * Different browsers support different nocache headers, so several
 * headers must be sent so that all of them get the point that no
@ -1536,7 +1542,7 @@ function nocache_headers() {
 }

 /**
- * Sets the headers for caching for 10 days with JavaScript content type.
+ * Sets the HTTP headers for caching for 10 days with JavaScript content type.
 *
 * @since 2.1.0
 */
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.3-alpha-55967';
+$wp_version = '6.3-alpha-55968';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.