Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Cache is stored even after sending no-cache, no-store, must-revalidate headers

  • 6 个回答
  • 1 人有此问题
  • 1 次查看
  • 最后回复者为 achoudhary

more options

Hello Support,

We require to prevent the firefox from storing our website's sensitive pages. We are in need of a SSL certificate and SSL company are seeing it as a security threat when the sensitive pages are being stored in cache and even after we turn off the internet the pages still show up.

We have tried disabling the cache using server side code but nothing works. We tried HTML meta tags as below:

<meta http-equiv="cache-control" content="max-age=0" /> <meta http-equiv="cache-control" content="no-cache, no-store, must-revalidate" /> <meta http-equiv="expires" content="0" /> <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /> <meta http-equiv="pragma" content="no-cache" />

Then tried with PHP, still didn't worked:

header("Cache-Control: no-cache, no-store, must-revalidate"); // HTTP 1.1. header("Pragma: no-cache"); // HTTP 1.0. header("Expires: 0"); // Proxies.


Though it shows the correct response headers but does not work. I have posted a similar Questions on stackoverflow.com but it seems that no one has any answer to this.

Stackoverflow Link: https://stackoverflow.com/questions/35842135/firefox-stores-cache-even-if-meta-tag-is-set-to-no-cache-no-store-must-revalid

Same settings work on chrome and other major browsers but does not work in firefox. On work offline mode, pages should not show up if I'm right.

Can you enlighten me on this as in what's really happening with Firefox? I am using Firefox version 44.0.2 on Windows 7 64-bit Platform.

Thanks

Hello Support, We require to prevent the firefox from storing our website's sensitive pages. We are in need of a SSL certificate and SSL company are seeing it as a security threat when the sensitive pages are being stored in cache and even after we turn off the internet the pages still show up. We have tried disabling the cache using server side code but nothing works. We tried HTML meta tags as below: <!-- Cache control --> <meta http-equiv="cache-control" content="max-age=0" /> <meta http-equiv="cache-control" content="no-cache, no-store, must-revalidate" /> <meta http-equiv="expires" content="0" /> <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /> <meta http-equiv="pragma" content="no-cache" /> Then tried with PHP, still didn't worked: header("Cache-Control: no-cache, no-store, must-revalidate"); // HTTP 1.1. header("Pragma: no-cache"); // HTTP 1.0. header("Expires: 0"); // Proxies. Though it shows the correct response headers but does not work. I have posted a similar Questions on stackoverflow.com but it seems that no one has any answer to this. Stackoverflow Link: https://stackoverflow.com/questions/35842135/firefox-stores-cache-even-if-meta-tag-is-set-to-no-cache-no-store-must-revalid Same settings work on chrome and other major browsers but does not work in firefox. On work offline mode, pages should not show up if I'm right. Can you enlighten me on this as in what's really happening with Firefox? I am using Firefox version 44.0.2 on Windows 7 64-bit Platform. Thanks

由achoudhary于修改

所有回复 (6)

more options

I'm a little surprised, but if you need a workaround, you can use POST instead of GET to retrieve sensitive pages. Example:

https://jeffersonscher.com/res/nostore1.php

more options

Thanks for the reply Jscher.

I wonder if its possible through GET only as we the sensitive info we are displaying is dynamically generated to an HTML page. Now this HTML page is accessed through the web and we cannot check if its post request in HTML pages. Is there any way we can get it done on HTML pages through GET request?

Thanks

more options

Hopefully someone else can answer about GET requests.

About this:

achoudhary said

... the sensitive info we are displaying is dynamically generated to an HTML page. Now this HTML page is accessed through the web and we cannot check if its post request in HTML pages.

But you're not wedded to a static HTML page, right? You can use PHP, ASP.Net, or another scripting language to detect the request type of the main page and embed an anti-CSRF token that allows you to validate the source of the background request. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

more options

Yes We can do that. But the question remains the same. Is there a way to accomplish that on HTML pages?

Even if I turn-off the internet or unplug the internet cable still the webpages show up.

Weird it seems to me and SSL company. CTRL + f5 doesn't respond.

This might be a security threat as I can see. If there's some background trojan running offline and gathering the info and sends the bundled info gathered(during offline) when we're online.

Any ways, thanks for the support. So the solution that came out is that we cannot prevent firefox from storing cache through get request if the page is a simple HTML page and it will continue to show up even if the internet is not connected.

more options

This is not a developer support site, so don't take the lack of response to your question as "the answer."

Where to go for developer support

more options

Okay. Thanks