Skip to content

[Backport 21.2.X] skip transfer cache for credentialed requests and uncacheable request/responses#69098

Merged
atscott merged 2 commits into
angular:21.2.xfrom
SkyZeroZx:fix/21-transfercache
Jun 4, 2026
Merged

[Backport 21.2.X] skip transfer cache for credentialed requests and uncacheable request/responses#69098
atscott merged 2 commits into
angular:21.2.xfrom
SkyZeroZx:fix/21-transfercache

Conversation

@SkyZeroZx

@SkyZeroZx SkyZeroZx commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Backport of #69017

SkyZeroZx added 2 commits June 2, 2026 13:50
@SkyZeroZx
fix(http): skip transfer cache for fetch credentialed requests
244a50b 
Treat HttpClient requests using `credentials: 'include'` and `same-origin` as credentialed when deciding whether a response can be stored in the HTTP transfer cache.

The transfer cache already skips requests with `withCredentials`, `Cookie`, `Authorization`, or `Proxy-Authorization` because those responses may contain user-specific data. Fetch-backed requests can express the same credentialed behavior through the `credentials` option, so these responses must not be serialized into the SSR HTML.

This keeps credentialed SSR responses out of TransferState and aligns the cache eligibility check with the fetch request options supported by HttpClient.

(cherry picked from commit 8ec0197)
@SkyZeroZx
fix(common): skip transfer cache for uncacheable HTTP traffic
969d730 
Do not store HTTP transfer cache entries when either the request or response uses `Cache-Control: no-store`, `Cache-Control: private`, or `Cache-Control: no-cache`.

Also skip transfer cache when requests use the Fetch API `cache` option with `no-store` or `no-cache`.

Because transfer cache serializes SSR HTTP responses into the rendered HTML, Angular now treats these directives conservatively to avoid exposing sensitive or explicitly uncacheable data through `TransferState`.

(cherry picked from commit 4d15015)

(cherry picked from commit 64ce11f)
@pullapprove pullapprove Bot requested a review from JeanMeche June 2, 2026 19:02
@angular-robot angular-robot Bot added area: common/http Issues related to HTTP and HTTP Client area: common Issues related to APIs in the @angular/common package labels Jun 2, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 2, 2026
@JeanMeche JeanMeche added action: merge The PR is ready for merge by the caretaker target: lts This PR is targeting a version currently in long-term support and removed target: lts This PR is targeting a version currently in long-term support labels Jun 2, 2026
@atscott atscott merged commit d846326 into angular:21.2.x Jun 4, 2026
27 checks passed
@atscott

atscott commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche JeanMeche approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: common/http Issues related to HTTP and HTTP Client area: common Issues related to APIs in the @angular/common package target: lts This PR is targeting a version currently in long-term support

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@SkyZeroZx @atscott @JeanMeche