Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24337

The Jenkins web-application uses incorrect cache-control headers

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Jenkins enterprise 1.509.5.1

      Incorrect caching headers

      Description:

      The Cache-Control header is used to determine if the requested page content should be cached or not. This caching can be done by a server, browser and proxies. The Cache-Control header is necessary to set when the response of the server contains sensitive information.

      Issue example:

      The Jenkins web-application uses incorrect cache-control headers. Below is an server response as an example. This is a structural issue.
      HTTP/1.1 200 OK
      Date: Tue, 25 Mar 2014 09:40:06 GMT
      Server: Winstone Servlet Engine v0.9.10
      Expires: 0
      Cache-Control: no-cache,must-revalidate
      X-Hudson-Theme: default
      X-Frame-Options: SAMEORIGIN
      Content-Type: text/html;charset=UTF-8
      X-Hudson: 1.395
      X-Jenkins: 1.509.5.1 (Jenkins Enterprise by CloudBees 13.05)
      X-Jenkins-Session: 8456547e
      X-Hudson-CLI-Port: 46210
      X-Jenkins-CLI-Port: 46210
      X-Jenkins-CLI2-Port: 46210
      X-SSH-Endpoint: 10.75.35.116:59696
      X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAufrFdr90ezSs51p3k56pEZ/57ErRzzF3jtp+FLU/f7M+84J6S35Y2NWo379t/sCTHCk/X/mUxy9ytx+lERSB1Vx4juXay/O+IaP2JrVD0NPQSrGmQo6ww/UzKkpZoAwRZFmHavm+dY0CtIuQkVD8M9BhaLLhtXzZipkEIM43Zj9gj04gP3kpsciu9U2jQ06sXWIJHdv9i51aa3iiW+kaFhmJea2KDI9h5trwOn8CqsTqAPfViubt4SrEhSrgklUnymJOAW8Auwy7he1B92nqf1k49Oi5XQ8amMFt8K3HCwxvQLE5rnp4gf4p+FaNYikqx5l10bPDAchMC9EnqdrxlwIDAQAB
      Content-Length: 25927
      X-Powered-By: Servlet/2.5 (Winstone/0.9.10)
      Set-Cookie: JSESSIONID.414ae189=f714820873e51a11e4110cc582dab384; Path=/; HttpOnly
      X-XSS-PROTECTION: 1; mode=block
      Connection: close

      Advice:

      Implement the correct cache-control header, no-store no-cache for all the pages that contains sensitive information.

          [JENKINS-24337] The Jenkins web-application uses incorrect cache-control headers

          Moving to the JENKINS project as I don't think this is a security vulnerability per se. After reading this post I still feel far from clear, but it does seem like the consensus is to also use no-store, so I'm going to make this change.

          Kohsuke Kawaguchi added a comment - Moving to the JENKINS project as I don't think this is a security vulnerability per se. After reading this post I still feel far from clear, but it does seem like the consensus is to also use no-store, so I'm going to make this change.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          core/src/main/resources/lib/layout/layout.jelly
          http://jenkins-ci.org/commit/jenkins/a6766763c16333b2bd79f913f7a8ad97d980a9fd
          Log:
          [FIXED JENKINS-24337]

          Added no-store to the Cache-Contorl header

          Reference: http://stackoverflow.com/questions/866822/why-both-no-cache-and-no-store-should-be-used-in-http-response
          Reference: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html core/src/main/resources/lib/layout/layout.jelly http://jenkins-ci.org/commit/jenkins/a6766763c16333b2bd79f913f7a8ad97d980a9fd Log: [FIXED JENKINS-24337] Added no-store to the Cache-Contorl header Reference: http://stackoverflow.com/questions/866822/why-both-no-cache-and-no-store-should-be-used-in-http-response Reference: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3633
          [FIXED JENKINS-24337] (Revision a6766763c16333b2bd79f913f7a8ad97d980a9fd)

          Result = SUCCESS
          kohsuke : a6766763c16333b2bd79f913f7a8ad97d980a9fd
          Files :

          • core/src/main/resources/lib/layout/layout.jelly
          • changelog.html

          dogfood added a comment - Integrated in jenkins_main_trunk #3633 [FIXED JENKINS-24337] (Revision a6766763c16333b2bd79f913f7a8ad97d980a9fd) Result = SUCCESS kohsuke : a6766763c16333b2bd79f913f7a8ad97d980a9fd Files : core/src/main/resources/lib/layout/layout.jelly changelog.html

            kohsuke Kohsuke Kawaguchi
            wilder_rodrigues Wilder Rodrigues
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: