From f497cc379fc0254ddf303f50225a9ecc875679cc Mon Sep 17 00:00:00 2001
From: Benjamin Franzke <ben@bnf.dev>
Date: Wed, 15 Nov 2023 23:04:42 +0100
Subject: [PATCH] [BUGFIX] Avoid 1s client-side backend request caching

Backend responses must never be cached. The previously used
Cache-Control instruction "must-revalidate" implicitly enabled
caching in order to possibly reuse a response. While that
could only happen when two requests to the same URL are
invoked within one second (because the browsers
`If-Modified-Since` header and our `Last-Modified` header
match, causing the webserver to issue a 304 response),
that is certainly possible in CI setups or fast user clicks.

Use `no-store` in order to instruct browsers to not cache
and try revalidation at all.

Resolves: #102377
Releases: main, 12.4, 11.5
Change-Id: Ic05cad748f824e7a45a1740aca15cd2fc3595a79
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/81756
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>
---
 .../sysext/core/Classes/Middleware/BackendUserAuthenticator.php | 2 +-
 .../filelist/Classes/Controller/FileDownloadController.php      | 2 +-
 .../Functional/Middleware/BackendUserAuthenticatorTest.php      | 2 +-
 typo3/sysext/install/Classes/Controller/InstallerController.php | 2 +-
 typo3/sysext/install/Classes/Controller/LayoutController.php    | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/typo3/sysext/core/Classes/Middleware/BackendUserAuthenticator.php b/typo3/sysext/core/Classes/Middleware/BackendUserAuthenticator.php
index 4b5ed7f26f85..ac90a8e15a78 100644
--- a/typo3/sysext/core/Classes/Middleware/BackendUserAuthenticator.php
+++ b/typo3/sysext/core/Classes/Middleware/BackendUserAuthenticator.php
@@ -76,7 +76,7 @@ abstract class BackendUserAuthenticator implements MiddlewareInterface
         $headers = [
             'Expires' => 0,
             'Last-Modified' => gmdate('D, d M Y H:i:s') . ' GMT',
-            'Cache-Control' => 'no-cache, must-revalidate',
+            'Cache-Control' => 'no-cache, no-store',
             // HTTP 1.0 compatibility, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Pragma
             'Pragma' => 'no-cache',
         ];
diff --git a/typo3/sysext/filelist/Classes/Controller/FileDownloadController.php b/typo3/sysext/filelist/Classes/Controller/FileDownloadController.php
index c8aec53b62a6..1fc1542a5988 100644
--- a/typo3/sysext/filelist/Classes/Controller/FileDownloadController.php
+++ b/typo3/sysext/filelist/Classes/Controller/FileDownloadController.php
@@ -116,7 +116,7 @@ class FileDownloadController
             ->withHeader('Content-Disposition', 'attachment; filename=' . $downloadFileName)
             ->withHeader('Content-Transfer-Encoding', 'binary')
             ->withHeader('Pragma', 'no-cache')
-            ->withHeader('Cache-Control', 'public, must-revalidate')
+            ->withHeader('Cache-Control', 'no-cache, no-store')
             ->withBody($this->streamFactory->createStreamFromFile($temporaryFileName));
     }
 
diff --git a/typo3/sysext/frontend/Tests/Functional/Middleware/BackendUserAuthenticatorTest.php b/typo3/sysext/frontend/Tests/Functional/Middleware/BackendUserAuthenticatorTest.php
index 3aefe379563f..8272a0fa2643 100644
--- a/typo3/sysext/frontend/Tests/Functional/Middleware/BackendUserAuthenticatorTest.php
+++ b/typo3/sysext/frontend/Tests/Functional/Middleware/BackendUserAuthenticatorTest.php
@@ -64,7 +64,7 @@ class BackendUserAuthenticatorTest extends FunctionalTestCase
             (new InternalRequest())->withPageId(1),
             (new InternalRequestContext())->withBackendUserId(1)
         );
-        self::assertEquals('no-cache, must-revalidate', $response->getHeaders()['Cache-Control'][0]);
+        self::assertEquals('no-cache, no-store', $response->getHeaders()['Cache-Control'][0]);
         self::assertEquals('no-cache', $response->getHeaders()['Pragma'][0]);
         self::assertEquals(0, $response->getHeaders()['Expires'][0]);
     }
diff --git a/typo3/sysext/install/Classes/Controller/InstallerController.php b/typo3/sysext/install/Classes/Controller/InstallerController.php
index af244b901881..761c1e5a0690 100644
--- a/typo3/sysext/install/Classes/Controller/InstallerController.php
+++ b/typo3/sysext/install/Classes/Controller/InstallerController.php
@@ -166,7 +166,7 @@ class InstallerController
             $view->render(),
             200,
             [
-                'Cache-Control' => 'no-cache, must-revalidate',
+                'Cache-Control' => 'no-cache, no-store',
                 'Pragma' => 'no-cache',
             ]
         );
diff --git a/typo3/sysext/install/Classes/Controller/LayoutController.php b/typo3/sysext/install/Classes/Controller/LayoutController.php
index 6d179ec8554a..b735d55b0a45 100644
--- a/typo3/sysext/install/Classes/Controller/LayoutController.php
+++ b/typo3/sysext/install/Classes/Controller/LayoutController.php
@@ -79,7 +79,7 @@ class LayoutController extends AbstractController
             $view->render(),
             200,
             [
-                'Cache-Control' => 'no-cache, must-revalidate',
+                'Cache-Control' => 'no-cache, no-store',
                 'Pragma' => 'no-cache',
             ]
         );
-- 
GitLab