This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/strict-browser-security has been created
at 4f3311bbc1869ebd4f0d6dd93e69636e407f2e3d (commit)
- Log -----------------------------------------------------------------
commit 4f3311bbc1869ebd4f0d6dd93e69636e407f2e3d
Author: Jim Brandt <jbrandt@bestpractical.com>
Date: Mon Dec 18 16:01:06 2023 -0500
Add $WebStrictBrowserCache option to disable browser cache
RT systems that store sensitive data may want to disable all
browser cache and back button behavior. This option enables
that and moves these headers to a separate Mason template
for easy override.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 6433198a36..39b4e296f6 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1573,6 +1573,20 @@ off I<unless> user connections to RT are secured by some other method.
Set($WebSecureCookies, 1);
+=item C<$WebStrictBrowserCache>
+
+As part of normal operation, browsers typically store some browsing
+history, enabling the Back button to work. Browsers also often
+cache pages in the browsing history to improve performance.
+
+Enable this option if you are using RT with highly ssensitive
+information and want to signal the browser to not store any history
+or cache any data. The default is disabled.
+
+=cut
+
+Set($WebStrictBrowserCache, 0);
+
=item C<$WebHttpOnlyCookies>
Default RT's session cookie to not being directly accessible to
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 04fbe3dcd5..5a7edccc35 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1889,6 +1889,9 @@ our %META;
WebSecureCookies => {
Widget => '/Widgets/Form/Boolean',
},
+ WebStrictBrowserCache => {
+ Widget => '/Widgets/Form/Boolean',
+ },
WikiImplicitLinks => {
Widget => '/Widgets/Form/Boolean',
},
diff --git a/share/html/Elements/Header b/share/html/Elements/Header
index 14be9196af..6dc9396461 100644
--- a/share/html/Elements/Header
+++ b/share/html/Elements/Header
@@ -123,8 +123,7 @@ $lang = $session{'CurrentUser'}->LanguageHandle->language_tag
&& $session{'CurrentUser'}->LanguageHandle
&& $session{'CurrentUser'}->LanguageHandle->language_tag;
-$r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
+$m->comp('/Elements/HttpResponseHeaders');
my $id = $m->request_comp->path;
$id =~ s|^/||g;
diff --git a/share/html/m/_elements/header b/share/html/Elements/HttpResponseHeaders
similarity index 71%
copy from share/html/m/_elements/header
copy to share/html/Elements/HttpResponseHeaders
index fbf873c61f..b1c635b8d5 100644
--- a/share/html/m/_elements/header
+++ b/share/html/Elements/HttpResponseHeaders
@@ -45,30 +45,23 @@
%# those contributions and any derivatives thereof.
%#
%# END BPS TAGGED BLOCK }}}
-<%args>
-$title => loc('RT for [_1]', RT->Config->Get('rtname'))
-$show_home_button => 1
-</%args>
-<%init>
+<%INIT>
+if ( RT->Config->Get('WebStrictBrowserCache') ) {
+
+ # Instruct the browser not to cache content
+ $r->headers_out->{'Cache-control'} = 'no-cache, no-store, must-revalidate, max-age=0, s-maxage=0';
+
+ my $expires = RT::Date->new(RT->SystemUser);
+ $expires->SetToNow;
+ # Make sure it's in the past to allow no cache
+ $expires->AddSeconds(-10);
+ $r->headers_out->{'Expires'} = $expires->RFC2616;
+}
+else {
+ $r->headers_out->{'Cache-control'} = 'no-cache';
+}
+
$r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
-</%init>
-<html>
-<head>
-<link rel="stylesheet" type="text/css" href="<%RT->Config->Get('WebPath')%>/static/css/mobile.css"/>
-<title><%$title%></title>
-% my ($jquery) = grep { /^jquery-\d+\./ } RT::Interface::Web->JSFiles;
-<script src="<% RT->Config->Get('WebPath') %>/static/js/<% $jquery %>"></script>
-<meta name="viewport" content="width=device-width height=device-height user-scalable=yes"/>
-<& /Elements/Framekiller &>
-</head>
-<body>
-% if ($show_home_button) {
-% # The align is for older browsers, like the blackberry
-<div id="gohome" align="right">
-<a href="<%RT->Config->Get('WebPath')%>/m/"><&|/l&>Homepage</&></a>
-</div>
-% }
-% if ($title) {
-<h1><%$title%></h1>
-% }
+
+$m->callback( %ARGS, CallbackName => 'End' );
+</%INIT>
diff --git a/share/html/m/_elements/header b/share/html/m/_elements/header
index fbf873c61f..e82459e578 100644
--- a/share/html/m/_elements/header
+++ b/share/html/m/_elements/header
@@ -50,8 +50,7 @@ $title => loc('RT for [_1]', RT->Config->Get('rtname'))
$show_home_button => 1
</%args>
<%init>
-$r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
+$m->comp('/Elements/HttpResponseHeaders');
</%init>
<html>
<head>
-----------------------------------------------------------------------
hooks/post-receive
--
rt
_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
https://lists.bestpractical.com/mailman/listinfo/rt-commit
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/strict-browser-security has been created
at 4f3311bbc1869ebd4f0d6dd93e69636e407f2e3d (commit)
- Log -----------------------------------------------------------------
commit 4f3311bbc1869ebd4f0d6dd93e69636e407f2e3d
Author: Jim Brandt <jbrandt@bestpractical.com>
Date: Mon Dec 18 16:01:06 2023 -0500
Add $WebStrictBrowserCache option to disable browser cache
RT systems that store sensitive data may want to disable all
browser cache and back button behavior. This option enables
that and moves these headers to a separate Mason template
for easy override.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 6433198a36..39b4e296f6 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1573,6 +1573,20 @@ off I<unless> user connections to RT are secured by some other method.
Set($WebSecureCookies, 1);
+=item C<$WebStrictBrowserCache>
+
+As part of normal operation, browsers typically store some browsing
+history, enabling the Back button to work. Browsers also often
+cache pages in the browsing history to improve performance.
+
+Enable this option if you are using RT with highly ssensitive
+information and want to signal the browser to not store any history
+or cache any data. The default is disabled.
+
+=cut
+
+Set($WebStrictBrowserCache, 0);
+
=item C<$WebHttpOnlyCookies>
Default RT's session cookie to not being directly accessible to
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 04fbe3dcd5..5a7edccc35 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1889,6 +1889,9 @@ our %META;
WebSecureCookies => {
Widget => '/Widgets/Form/Boolean',
},
+ WebStrictBrowserCache => {
+ Widget => '/Widgets/Form/Boolean',
+ },
WikiImplicitLinks => {
Widget => '/Widgets/Form/Boolean',
},
diff --git a/share/html/Elements/Header b/share/html/Elements/Header
index 14be9196af..6dc9396461 100644
--- a/share/html/Elements/Header
+++ b/share/html/Elements/Header
@@ -123,8 +123,7 @@ $lang = $session{'CurrentUser'}->LanguageHandle->language_tag
&& $session{'CurrentUser'}->LanguageHandle
&& $session{'CurrentUser'}->LanguageHandle->language_tag;
-$r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
+$m->comp('/Elements/HttpResponseHeaders');
my $id = $m->request_comp->path;
$id =~ s|^/||g;
diff --git a/share/html/m/_elements/header b/share/html/Elements/HttpResponseHeaders
similarity index 71%
copy from share/html/m/_elements/header
copy to share/html/Elements/HttpResponseHeaders
index fbf873c61f..b1c635b8d5 100644
--- a/share/html/m/_elements/header
+++ b/share/html/Elements/HttpResponseHeaders
@@ -45,30 +45,23 @@
%# those contributions and any derivatives thereof.
%#
%# END BPS TAGGED BLOCK }}}
-<%args>
-$title => loc('RT for [_1]', RT->Config->Get('rtname'))
-$show_home_button => 1
-</%args>
-<%init>
+<%INIT>
+if ( RT->Config->Get('WebStrictBrowserCache') ) {
+
+ # Instruct the browser not to cache content
+ $r->headers_out->{'Cache-control'} = 'no-cache, no-store, must-revalidate, max-age=0, s-maxage=0';
+
+ my $expires = RT::Date->new(RT->SystemUser);
+ $expires->SetToNow;
+ # Make sure it's in the past to allow no cache
+ $expires->AddSeconds(-10);
+ $r->headers_out->{'Expires'} = $expires->RFC2616;
+}
+else {
+ $r->headers_out->{'Cache-control'} = 'no-cache';
+}
+
$r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
-</%init>
-<html>
-<head>
-<link rel="stylesheet" type="text/css" href="<%RT->Config->Get('WebPath')%>/static/css/mobile.css"/>
-<title><%$title%></title>
-% my ($jquery) = grep { /^jquery-\d+\./ } RT::Interface::Web->JSFiles;
-<script src="<% RT->Config->Get('WebPath') %>/static/js/<% $jquery %>"></script>
-<meta name="viewport" content="width=device-width height=device-height user-scalable=yes"/>
-<& /Elements/Framekiller &>
-</head>
-<body>
-% if ($show_home_button) {
-% # The align is for older browsers, like the blackberry
-<div id="gohome" align="right">
-<a href="<%RT->Config->Get('WebPath')%>/m/"><&|/l&>Homepage</&></a>
-</div>
-% }
-% if ($title) {
-<h1><%$title%></h1>
-% }
+
+$m->callback( %ARGS, CallbackName => 'End' );
+</%INIT>
diff --git a/share/html/m/_elements/header b/share/html/m/_elements/header
index fbf873c61f..e82459e578 100644
--- a/share/html/m/_elements/header
+++ b/share/html/m/_elements/header
@@ -50,8 +50,7 @@ $title => loc('RT for [_1]', RT->Config->Get('rtname'))
$show_home_button => 1
</%args>
<%init>
-$r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
+$m->comp('/Elements/HttpResponseHeaders');
</%init>
<html>
<head>
-----------------------------------------------------------------------
hooks/post-receive
--
rt
_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
https://lists.bestpractical.com/mailman/listinfo/rt-commit