Writing header cache values only when the response hasn't yet started
This commit is contained in:
parent
77b04e3c82
commit
4fa975a416
|
|
@ -67,9 +67,12 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Explicitly set the cache headers to 'no-cache'. This could override any user set value but this is fine
|
if (!httpContext.Response.HasStarted)
|
||||||
// as a response with antiforgery token must never be cached.
|
{
|
||||||
SetDoNotCacheHeaders(httpContext);
|
// Explicitly set the cache headers to 'no-cache'. This could override any user set value but this is fine
|
||||||
|
// as a response with antiforgery token must never be cached.
|
||||||
|
SetDoNotCacheHeaders(httpContext);
|
||||||
|
}
|
||||||
|
|
||||||
return tokenSet;
|
return tokenSet;
|
||||||
}
|
}
|
||||||
|
|
@ -247,7 +250,10 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
_logger.ReusedCookieToken();
|
_logger.ReusedCookieToken();
|
||||||
}
|
}
|
||||||
|
|
||||||
SetDoNotCacheHeaders(httpContext);
|
if (!httpContext.Response.HasStarted)
|
||||||
|
{
|
||||||
|
SetDoNotCacheHeaders(httpContext);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void SaveCookieTokenAndHeader(HttpContext httpContext, string cookieToken)
|
private void SaveCookieTokenAndHeader(HttpContext httpContext, string cookieToken)
|
||||||
|
|
@ -374,28 +380,13 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
/// <param name="httpContext">The <see cref="HttpContext"/>.</param>
|
/// <param name="httpContext">The <see cref="HttpContext"/>.</param>
|
||||||
protected virtual void SetDoNotCacheHeaders(HttpContext httpContext)
|
protected virtual void SetDoNotCacheHeaders(HttpContext httpContext)
|
||||||
{
|
{
|
||||||
bool cacheHeadersChanged = SetHeaderIfNotSet(httpContext, HeaderNames.CacheControl, "no-cache, no-store");
|
|
||||||
cacheHeadersChanged |= SetHeaderIfNotSet(httpContext, HeaderNames.Pragma, "no-cache");
|
|
||||||
|
|
||||||
if (cacheHeadersChanged)
|
|
||||||
{
|
|
||||||
// Since antifogery token generation is not very obvious to the end users (ex: MVC's form tag generates them
|
// Since antifogery token generation is not very obvious to the end users (ex: MVC's form tag generates them
|
||||||
// by default), log a warning to let users know of the change in behavior to any cache headers they might
|
// by default), log a warning to let users know of the change in behavior to any cache headers they might
|
||||||
// have set explicitly.
|
// have set explicitly.
|
||||||
LogCacheHeaderOverrideWarning(httpContext.Response);
|
LogCacheHeaderOverrideWarning(httpContext.Response);
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private static bool SetHeaderIfNotSet(HttpContext context, string headerName, string value)
|
httpContext.Response.Headers[HeaderNames.CacheControl] = "no-cache, no-store";
|
||||||
{
|
httpContext.Response.Headers[HeaderNames.Pragma] = "no-cache";
|
||||||
if (!context.Response.Headers.ContainsKey(headerName))
|
|
||||||
{
|
|
||||||
context.Response.Headers[headerName] = value;
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private void LogCacheHeaderOverrideWarning(HttpResponse response)
|
private void LogCacheHeaderOverrideWarning(HttpResponse response)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue