fix(http): skip TransferCache for cookie-bearing requests by default#67964
Conversation
Treat requests with a Cookie header like other auth-bearing requests and skip TransferCache caching them by default. This preserves the explicit opt-in path via includeRequestsWithAuthHeaders, adds regression coverage for cookie-bearing requests, and updates the SSR guide to document the behavior.
|
@JeanMeche requesting review from approvers on this one. This change addresses a security-relevant issue in SSR TransferCache: requests that differ only by Cookie currently alias to the same cache entry, which can cause reuse of user-specific responses across cookie contexts. The patch is intentionally narrow, preserves the existing opt-in path, and is aimed at Google's patch reward program. A review when convenient would be appreciated. |
|
@JeanMeche @alan-agius4 , Its been over a month since I submitted this PR. Has anyone taken a look at it? Not really sure what is happening. |
|
Hi, @JeanMeche @alan-agius4, I’m not sure what is happening here, but this PR has been open for over a month. Is there something wrong with the PR? |
|
Hi @JeanMeche @alan-agius4, I believe this fix is security-relevant and should be reviewed and merged by the team, as again, it is a security-relevant fix. I also want to add that another one of my PRs, which was merged, has not received payment. That fix was merged more than a month ago, and I still have not received payment for it. I have had similar issues in the past with the Google bug bounty program, and your team helped me remediate the situation. I am hoping you can help with this again. Thanks! |
|
@Yenya030 thanks for this. So I missed the request for review. |
alan-agius4
left a comment
There was a problem hiding this comment.
Thanks for this, can you also exclude request withCredentials from cache? Thanks.
|
No worries @alan-agius4 it happens. Done. I updated the patch to also exclude requests sent with |
Update the transfer cache check to safely exclude all requests sent with the `withCredentials` flag. By default, the HTTP transfer cache avoids caching user-specific responses to prevent sensitive data exposure or incorrect caching. While requests with explicit headers like `Cookie` or `Authorization` are excluded by default, requests can also be sent with credentials via the `withCredentials` flag without having those headers explicitly declared on the request object. To keep user-specific responses from being cached, exclude `withCredentials` requests unconditionally, even when the `includeRequestsWithAuthHeaders` option is set to true.
ac445ed to
fbad713
Compare
What does this PR do?
This change makes TransferCache skip requests with a
Cookieheader by default.Today, TransferCache already avoids caching requests with authorization headers unless the application explicitly opts in with
includeRequestsWithAuthHeaders. This change treats cookie-bearing requests the same way, since those responses can also vary by user context.The explicit opt-in path is preserved.
Why is this change needed?
Requests that carry cookies can produce user-specific responses on the server. Reusing those responses from TransferCache under the default key can return an incorrect cached response for another request to the same URL.
What changes are included?
Cookieheader by default