RE: Mozilla Firefox can't disable browser cache. Why?

["Tony Stahler" <TStahler () tempographics com>]

In previous versions I'd tested a web app I was making - it doesn't
cache for normal requests.  The back button keeps a certain number of
previous pages cached internally no matter what.  For instance, when I
fill out a form - then go to another page - if I click back it will give
me the previous page with all the data still in the form.  

I just tried packet sniffing on FF 1.0.7, and it doesn't even make a
request when you click the back button.  Maybe there's somewhere to turn
this off, but I've never seen the setting.

-Tony


-----Original Message-----
From: smith.norton () gmail com [mailto:smith.norton () gmail com] 
Sent: Wednesday, August 23, 2006 8:07 AM
To: webappsec () securityfocus com
Subject: Mozilla Firefox can't disable browser cache. Why?

I have two pages.

a.php
------

<?php
Header("Pragma: no-cache"); #HTTP 1.0
Header("Cache-control: private, no-cache, no-store");
Header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
?>

<html>
<head>
<title>1st Page</title>
</head>
<body>
<p>
This is the first page.<br>
<a href="b.html">Click here</a> to go to the second page.
</p>
</body>
</html>

b.html
------
<html>
<head>
<meta http-equiv="cache-control" content="no-cache">
<title>2nd Page</title>
</head>
<body>
<p>
This is the second page.<br>
</p>
</body>
</html>

Then I try the following steps:-

1. Open http://[mysite]/a.php
2. Click the link on it to go to b.html.
3. Then click on "Work Offline" from the "File" menu of the browser.
4. Hit the back button.

I am expecting that on pressing the back button I shouldn't be able to
get a.php since caching was disabled.

When I try the above steps with Internet Explorer, I am unable to get
back a.php in "offline" mode. So this is OK.

But, when I try the above steps with Mozilla Firefox, I am able to get
back a.php in "offline" mode even though caching was disabled.

Why didn't Mozilla Firefox obey the directives in the HTTP Headers?

------------------------------------------------------------------------
-
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web 
application security assessment tools by both Gartner and IDC. 
Download a free trial of AppScan today and see why more customers choose

AppScan then any other solution. Try it today!
  
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web
application security assessment tools by both Gartner and IDC.
Download a free trial of AppScan today and see why more customers choose
AppScan then any other solution. Try it today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------