Commit d1933183 authored by Rémy Coutable's avatar Rémy Coutable

Fix ETag caching not being used for AJAX requests

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent b0097199
...@@ -43,7 +43,10 @@ class ApplicationController < ActionController::Base ...@@ -43,7 +43,10 @@ class ApplicationController < ActionController::Base
:git_import_enabled?, :gitlab_project_import_enabled?, :git_import_enabled?, :gitlab_project_import_enabled?,
:manifest_import_enabled? :manifest_import_enabled?
# Adds `no-store` to the DEFAULT_CACHE_CONTROL, to prevent security
# concerns due to caching private data.
DEFAULT_GITLAB_CACHE_CONTROL = "#{ActionDispatch::Http::Cache::Response::DEFAULT_CACHE_CONTROL}, no-store".freeze DEFAULT_GITLAB_CACHE_CONTROL = "#{ActionDispatch::Http::Cache::Response::DEFAULT_CACHE_CONTROL}, no-store".freeze
DEFAULT_GITLAB_CONTROL_NO_CACHE = "#{DEFAULT_GITLAB_CACHE_CONTROL}, no-cache".freeze
rescue_from Encoding::CompatibilityError do |exception| rescue_from Encoding::CompatibilityError do |exception|
log_exception(exception) log_exception(exception)
...@@ -235,9 +238,9 @@ class ApplicationController < ActionController::Base ...@@ -235,9 +238,9 @@ class ApplicationController < ActionController::Base
end end
def no_cache_headers def no_cache_headers
response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate" headers['Cache-Control'] = DEFAULT_GITLAB_CONTROL_NO_CACHE
response.headers["Pragma"] = "no-cache" headers['Pragma'] = 'no-cache' # HTTP 1.0 compatibility
response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT" headers['Expires'] = 'Fri, 01 Jan 1990 00:00:00 GMT'
end end
def default_headers def default_headers
...@@ -247,10 +250,16 @@ class ApplicationController < ActionController::Base ...@@ -247,10 +250,16 @@ class ApplicationController < ActionController::Base
headers['X-Content-Type-Options'] = 'nosniff' headers['X-Content-Type-Options'] = 'nosniff'
if current_user if current_user
# Adds `no-store` to the DEFAULT_CACHE_CONTROL, to prevent security headers['Cache-Control'] = default_cache_control
# concerns due to caching private data. headers['Pragma'] = 'no-cache' # HTTP 1.0 compatibility
headers['Cache-Control'] = DEFAULT_GITLAB_CACHE_CONTROL end
headers["Pragma"] = "no-cache" # HTTP 1.0 compatibility end
def default_cache_control
if request.xhr?
ActionDispatch::Http::Cache::Response::DEFAULT_CACHE_CONTROL
else
DEFAULT_GITLAB_CACHE_CONTROL
end end
end end
......
---
title: Fix ETag caching not being used for AJAX requests
merge_request: 25400
author:
type: fixed
...@@ -665,6 +665,14 @@ describe ApplicationController do ...@@ -665,6 +665,14 @@ describe ApplicationController do
expect(response.headers['Cache-Control']).to eq 'max-age=0, private, must-revalidate, no-store' expect(response.headers['Cache-Control']).to eq 'max-age=0, private, must-revalidate, no-store'
end end
it 'does not set the "no-store" header for XHR requests' do
sign_in(user)
get :index, xhr: true
expect(response.headers['Cache-Control']).to eq 'max-age=0, private, must-revalidate'
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment