Merge branch '346892-change-caching-headers-from-no-store' into 'master'

Remove 'no-store' from page caching headers See merge request gitlab-org/gitlab!75628

Merge branch '346892-change-caching-headers-from-no-store' into 'master'
Remove 'no-store' from page caching headers See merge request gitlab-org/gitlab!75628
11c78743 · Heinrich Lee Yu · 1c9bda33 · c825124b · 11c78743 · 11c78743
Commit 11c78743 authored Dec 10, 2021 by Heinrich Lee Yu
6 changed files
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -66,10 +66,6 @@ class ApplicationController < ActionController::Base
    :manifest_import_enabled?, :phabricator_import_enabled?,
    :masked_page_url
-  # Adds `no-store` to the DEFAULT_CACHE_CONTROL, to prevent security
-  # concerns due to caching private data.
-  DEFAULT_GITLAB_CACHE_CONTROL = "#{ActionDispatch::Http::Cache::Response::DEFAULT_CACHE_CONTROL}, no-store"
  def self.endpoint_id_for_action(action_name)
    "#{self.name}##{action_name}"
  end
@@ -283,11 +279,8 @@ class ApplicationController < ActionController::Base
  end
  def default_cache_headers
-    if current_user
-      headers['Cache-Control'] = default_cache_control
    headers['Pragma'] = 'no-cache' # HTTP 1.0 compatibility
  end
-  end
  def stream_csv_headers(csv_filename)
    no_cache_headers
@@ -297,14 +290,6 @@ class ApplicationController < ActionController::Base
    headers['Content-Disposition'] = "attachment; filename=\"#{csv_filename}\""
  end
-  def default_cache_control
-    if request.xhr?
-      ActionDispatch::Http::Cache::Response::DEFAULT_CACHE_CONTROL
-    else
-      DEFAULT_GITLAB_CACHE_CONTROL
-    end
-  end
  def validate_user_service_ticket!
    return unless signed_in? && session[:service_tickets]

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -84,6 +84,8 @@ class SessionsController < Devise::SessionsController
  end
  def destroy
+    headers['Clear-Site-Data'] = '"*"'
    Gitlab::AppLogger.info("User Logout: username=#{current_user.username} ip=#{request.remote_ip}")
    super
    # hide the signed_out notice

--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -732,17 +732,8 @@ RSpec.describe ApplicationController do
        get :index
-        expect(response.headers['Cache-Control']).to eq 'private, no-store'
        expect(response.headers['Pragma']).to eq 'no-cache'
      end
-      it 'does not set the "no-store" header for XHR requests' do
-        sign_in(user)
-        get :index, xhr: true
-        expect(response.headers['Cache-Control']).to eq 'max-age=0, private, must-revalidate'
-      end
    end
  end

--- a/spec/controllers/search_controller_spec.rb
+++ b/spec/controllers/search_controller_spec.rb
@@ -324,7 +324,7 @@ RSpec.describe SearchController do
        expect(response).to have_gitlab_http_status(:ok)
-        expect(response.headers['Cache-Control']).to eq('private, no-store')
+        expect(response.headers['Cache-Control']).to eq('max-age=60, private')
      end
      it 'does NOT blow up if search param is NOT a string' do

--- a/spec/requests/admin/version_check_controller_spec.rb
+++ b/spec/requests/admin/version_check_controller_spec.rb
@@ -24,7 +24,7 @@ RSpec.describe Admin::VersionCheckController, :enable_admin_mode do
      end
      it 'sets no-cache headers' do
-        expect(response.headers['Cache-Control']).to eq('private, no-store')
+        expect(response.headers['Cache-Control']).to eq('max-age=0, private, must-revalidate')
      end
    end
@@ -43,10 +43,7 @@ RSpec.describe Admin::VersionCheckController, :enable_admin_mode do
      end
      it 'sets proper cache headers' do
-        # TODO: https://gitlab.com/gitlab-org/gitlab/-/issues/346999
+        expect(response.headers['Cache-Control']).to eq('max-age=60, private')
-        # The Cache-Control header is not set correctly for tests
-        # expect(response.headers['Cache-Control']).to eq('max-age=60, private')
-        expect(response.headers['Cache-Control']).to eq('private, no-store')
      end
    end
  end

--- a/spec/support/shared_examples/controllers/wiki_actions_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/wiki_actions_shared_examples.rb
@@ -299,7 +299,7 @@ RSpec.shared_examples 'wiki controller actions' do
          expect(response.headers['Content-Disposition']).to match(/^inline/)
          expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq('true')
          expect(response.cache_control[:public]).to be(false)
-          expect(response.headers['Cache-Control']).to eq('private, no-store')
+          expect(response.headers['Cache-Control']).to eq('max-age=60, private')
        end
      end
    end