Skip to content

[Backport 20.3.X] skip transfer cache for credentialed requests and uncacheable request/responses#69093

Merged
atscott merged 2 commits into
angular:20.3.xfrom
SkyZeroZx:fix/transfercache
Jun 3, 2026
Merged

[Backport 20.3.X] skip transfer cache for credentialed requests and uncacheable request/responses#69093
atscott merged 2 commits into
angular:20.3.xfrom
SkyZeroZx:fix/transfercache

Conversation

@SkyZeroZx

@SkyZeroZx SkyZeroZx commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Backport of #69017

SkyZeroZx added 2 commits June 2, 2026 12:22
@SkyZeroZx
fix(http): skip transfer cache for fetch credentialed requests
8dbbd4a 
Treat HttpClient requests using `credentials: 'include'` and `same-origin` as credentialed when deciding whether a response can be stored in the HTTP transfer cache.

The transfer cache already skips requests with `withCredentials`, `Cookie`, `Authorization`, or `Proxy-Authorization` because those responses may contain user-specific data. Fetch-backed requests can express the same credentialed behavior through the `credentials` option, so these responses must not be serialized into the SSR HTML.

This keeps credentialed SSR responses out of TransferState and aligns the cache eligibility check with the fetch request options supported by HttpClient.

(cherry picked from commit 8ec0197)
@SkyZeroZx
fix(common): skip transfer cache for uncacheable HTTP traffic
374e7a5 
Do not store HTTP transfer cache entries when either the request or response uses `Cache-Control: no-store`, `Cache-Control: private`, or `Cache-Control: no-cache`.

Also skip transfer cache when requests use the Fetch API `cache` option with `no-store` or `no-cache`.

Because transfer cache serializes SSR HTTP responses into the rendered HTML, Angular now treats these directives conservatively to avoid exposing sensitive or explicitly uncacheable data through `TransferState`.

(cherry picked from commit 4d15015)

(cherry picked from commit 64ce11f)
@pullapprove pullapprove Bot requested a review from AndrewKushnir June 2, 2026 17:27
@angular-robot angular-robot Bot added area: common/http Issues related to HTTP and HTTP Client area: common Issues related to APIs in the @angular/common package labels Jun 2, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 2, 2026
@AndrewKushnir AndrewKushnir requested review from JeanMeche and removed request for AndrewKushnir June 2, 2026 23:43
@SkyZeroZx

SkyZeroZx commented Jun 3, 2026

Copy link
Copy Markdown
Contributor Author

I reviewed the CI logs, and I think this might be flaky. When I was backporting, the tests from HTTP ran correctly, so I'm not sure whether this is related to those changes.

//packages/core/test/acceptance:acceptance_web_chromium                   FLAKY, failed in 1 out of 2 in 31.0s
  Stats over 2 runs: max = 31.0s, min = 27.0s, avg = 29.0s, dev = 2.0s
  /home/runner/.cache/bazel/_bazel_runner/d249b5591f4df4cc05a9b72938674089/execroot/_main/bazel-out/k8-fastbuild/testlogs/packages/core/test/acceptance/acceptance_web_chromium/test_attempts/attempt_1.log
//packages/core/test/acceptance:acceptance_web_firefox                    FLAKY, failed in 2 out of 3 in 75.6s
  Stats over 3 runs: max = 75.6s, min = 42.9s, avg = 57.4s, dev = 13.6s
  /home/runner/.cache/bazel/_bazel_runner/d249b5591f4df4cc05a9b72938674089/execroot/_main/bazel-out/k8-fastbuild/testlogs/packages/core/test/acceptance/acceptance_web_firefox/test_attempts/attempt_1.log
  /home/runner/.cache/bazel/_bazel_runner/d249b5591f4df4cc05a9b72938674089/execroot/_main/bazel-out/k8-fastbuild/testlogs/packages/core/test/acceptance/acceptance_web_firefox/test_attempts/attempt_2.log
//packages/core/test/acceptance:acceptance                               FAILED in 3 out of 3 in 40.7s

@JeanMeche JeanMeche added action: merge The PR is ready for merge by the caretaker target: lts This PR is targeting a version currently in long-term support labels Jun 3, 2026
@atscott atscott merged commit 566ad05 into angular:20.3.x Jun 3, 2026
34 of 36 checks passed
@atscott

atscott commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche JeanMeche approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: common/http Issues related to HTTP and HTTP Client area: common Issues related to APIs in the @angular/common package target: lts This PR is targeting a version currently in long-term support

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@SkyZeroZx @atscott @JeanMeche