Fossil SCM

Do not allow caching of generated HTML content, as such content will usually contain a nonce which ought not be repeated.

drh 2023-06-22 17:09 trunk

Commit bdde964e06128a02cf5d04d7542399b144ed487076a5e792bbf2c29eb4a436dc

Parent 47fb3ddc5a9100f…

1 file changed +8 -5

~ src/cgi.c

M src/cgi.c

+8 -5

		--- src/cgi.c
		+++ src/cgi.c
		@@ -497,11 +497,17 @@
497	497	blob_appendf(&hdr, "X-UA-Compatible: IE=edge\r\n");
498	498	}else{
499	499	assert( rangeEnd==0 );
500	500	blob_appendf(&hdr, "Status: %d %s\r\n", iReplyStatus, zReplyStatus);
501	501	}
502		- if( etag_tag()[0]!=0 ){
	502	+ if( etag_tag()[0]!=0
	503	+ && iReplyStatus==200
	504	+ && strcmp(zContentType,"text/html")==0
	505	+ ){
	506	+ /* Do not cache HTML replies as those will have been generated and
	507	+ ** will likely, therefore, contains a nonce and we want that nonce to
	508	+ ** be different every time. */
503	509	blob_appendf(&hdr, "ETag: %s\r\n", etag_tag());
504	510	blob_appendf(&hdr, "Cache-Control: max-age=%d\r\n", etag_maxage());
505	511	if( etag_mtime()>0 ){
506	512	blob_appendf(&hdr, "Last-Modified: %s\r\n",
507	513	cgi_rfc822_datestamp(etag_mtime()));
		@@ -518,11 +524,11 @@
518	524	blob_appendf(&hdr, "%s", blob_buffer(&extraHeader));
519	525	}
520	526
521	527	/* Add headers to turn on useful security options in browsers. */
522	528	blob_appendf(&hdr, "X-Frame-Options: SAMEORIGIN\r\n");
523		- /* This stops fossil pages appearing in frames or iframes, preventing
	529	+ /* The previous stops fossil pages appearing in frames or iframes, preventing
524	530	** click-jacking attacks on supporting browsers.
525	531	**
526	532	** Other good headers would be
527	533	** Strict-Transport-Security: max-age=62208000
528	534	** if we're using https. However, this would break sites which serve different
		@@ -534,13 +540,10 @@
534	540	**
535	541	** These headers are probably best added by the web server hosting fossil as
536	542	** a CGI script.
537	543	*/
538	544
539		- /* Content intended for logged in users should only be cached in
540		- ** the browser, not some shared location.
541		- */
542	545	if( iReplyStatus!=304 ) {
543	546	blob_appendf(&hdr, "Content-Type: %s%s\r\n", zContentType,
544	547	content_type_charset(zContentType));
545	548	if( fossil_strcmp(zContentType,"application/x-fossil")==0 ){
546	549	cgi_combine_header_and_body();
547	550

	--- src/cgi.c
	+++ src/cgi.c
	@@ -497,11 +497,17 @@
497	blob_appendf(&hdr, "X-UA-Compatible: IE=edge\r\n");
498	}else{
499	assert( rangeEnd==0 );
500	blob_appendf(&hdr, "Status: %d %s\r\n", iReplyStatus, zReplyStatus);
501	}
502	if( etag_tag()[0]!=0 ){






503	blob_appendf(&hdr, "ETag: %s\r\n", etag_tag());
504	blob_appendf(&hdr, "Cache-Control: max-age=%d\r\n", etag_maxage());
505	if( etag_mtime()>0 ){
506	blob_appendf(&hdr, "Last-Modified: %s\r\n",
507	cgi_rfc822_datestamp(etag_mtime()));
	@@ -518,11 +524,11 @@
518	blob_appendf(&hdr, "%s", blob_buffer(&extraHeader));
519	}
520
521	/* Add headers to turn on useful security options in browsers. */
522	blob_appendf(&hdr, "X-Frame-Options: SAMEORIGIN\r\n");
523	/* This stops fossil pages appearing in frames or iframes, preventing
524	** click-jacking attacks on supporting browsers.
525	**
526	** Other good headers would be
527	** Strict-Transport-Security: max-age=62208000
528	** if we're using https. However, this would break sites which serve different
	@@ -534,13 +540,10 @@
534	**
535	** These headers are probably best added by the web server hosting fossil as
536	** a CGI script.
537	*/
538
539	/* Content intended for logged in users should only be cached in
540	** the browser, not some shared location.
541	*/
542	if( iReplyStatus!=304 ) {
543	blob_appendf(&hdr, "Content-Type: %s%s\r\n", zContentType,
544	content_type_charset(zContentType));
545	if( fossil_strcmp(zContentType,"application/x-fossil")==0 ){
546	cgi_combine_header_and_body();
547

	--- src/cgi.c
	+++ src/cgi.c
	@@ -497,11 +497,17 @@
497	blob_appendf(&hdr, "X-UA-Compatible: IE=edge\r\n");
498	}else{
499	assert( rangeEnd==0 );
500	blob_appendf(&hdr, "Status: %d %s\r\n", iReplyStatus, zReplyStatus);
501	}
502	if( etag_tag()[0]!=0
503	&& iReplyStatus==200
504	&& strcmp(zContentType,"text/html")==0
505	){
506	/* Do not cache HTML replies as those will have been generated and
507	** will likely, therefore, contains a nonce and we want that nonce to
508	** be different every time. */
509	blob_appendf(&hdr, "ETag: %s\r\n", etag_tag());
510	blob_appendf(&hdr, "Cache-Control: max-age=%d\r\n", etag_maxage());
511	if( etag_mtime()>0 ){
512	blob_appendf(&hdr, "Last-Modified: %s\r\n",
513	cgi_rfc822_datestamp(etag_mtime()));
	@@ -518,11 +524,11 @@
524	blob_appendf(&hdr, "%s", blob_buffer(&extraHeader));
525	}
526
527	/* Add headers to turn on useful security options in browsers. */
528	blob_appendf(&hdr, "X-Frame-Options: SAMEORIGIN\r\n");
529	/* The previous stops fossil pages appearing in frames or iframes, preventing
530	** click-jacking attacks on supporting browsers.
531	**
532	** Other good headers would be
533	** Strict-Transport-Security: max-age=62208000
534	** if we're using https. However, this would break sites which serve different
	@@ -534,13 +540,10 @@
540	**
541	** These headers are probably best added by the web server hosting fossil as
542	** a CGI script.
543	*/
544



545	if( iReplyStatus!=304 ) {
546	blob_appendf(&hdr, "Content-Type: %s%s\r\n", zContentType,
547	content_type_charset(zContentType));
548	if( fossil_strcmp(zContentType,"application/x-fossil")==0 ){
549	cgi_combine_header_and_body();
550

Fossil SCM

Keyboard Shortcuts