search

aspnet / Mvc

[Archived] ASP.NET Core MVC is a model view controller framework for building dynamic web sites with clean separation of concerns, including the merged MVC, Web API, and Web Pages w/ Razor. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
5.62k stars 2.14k forks source link

AutoValidateAntiforgeryTokenAttribute erase Cache-Control #7522

Closed daikoz closed 6 years ago

daikoz commented 6 years ago

Hi,

I use .net core 2.1 preview 1.

In Startup.cs, I use:

     services.AddMvc(options =>
            {
                options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
            }).SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

AutoValidateAntiforgeryTokenAttribute is use to validate automatically antiforgery. AutoValidateAntiforgeryTokenAttribute add "cache-control: no-cache, no-store" to the header of http response.

On my controller:

        [HttpGet]
        [HttpHead]
        [Route("")]
        [NoCacheHttpHeaders]
        public ActionResult Index()
        {
            return View();
        }

I use NoCacheHttpHeaders attribute of NWebsec.AspNetCore.Mvc. to add this header:

Cache-Control: no-cache, no-store, must-revalidate Expires: -1 Pragma: no-cache

https://docs.nwebsec.com/en/latest/nwebsec/Configuring-cache-headers.html

Issue

AutoValidateAntiforgeryTokenAttribute rewrite value in cache-control instead of to add values: no-cache, no-store. must-revalidate is removed.

mkArtakMSFT commented 6 years ago

Thanks for contacting us, @zokiad. @javiercn, can you please look into this? Thanks!

mkArtakMSFT commented 6 years ago

Ping @javiercn

javiercn commented 6 years ago

@mkArtakMSFT This is by design. Antiforgery sets the cache-control to "no-cache no-store" which is the strongest level it can be, as it instruct proxies to not store the information and to not server the cached responses without validating with the server first.

must-revalidate tells proxies to validate the cache-entries when the response has become stale, so when used in conjunction with no-cache, I believe it's redundant.

Here are the relevant sections of the RFC that cover this. https://tools.ietf.org/html/rfc7234#section-5.2.2.2 https://tools.ietf.org/html/rfc7234#section-5.2.2.1

Here is the line of code that logs the fact that the cache-control header is being overriden: https://github.com/aspnet/Antiforgery/blob/dev/src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgery.cs#L386

While antiforgery overrides the cache-control header, it sets it to its most constraining level, so no action is needed here.

Thanks for reporting this.