Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Cache is stored even after sending no-cache, no-store, must-revalidate headers

  • 6 replies
  • 1 has this problem
  • 1 view
  • Last reply by achoudhary

more options

Hello Support,

We require to prevent the firefox from storing our website's sensitive pages. We are in need of a SSL certificate and SSL company are seeing it as a security threat when the sensitive pages are being stored in cache and even after we turn off the internet the pages still show up.

We have tried disabling the cache using server side code but nothing works. We tried HTML meta tags as below:

<meta http-equiv="cache-control" content="max-age=0" /> <meta http-equiv="cache-control" content="no-cache, no-store, must-revalidate" /> <meta http-equiv="expires" content="0" /> <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /> <meta http-equiv="pragma" content="no-cache" />

Then tried with PHP, still didn't worked:

header("Cache-Control: no-cache, no-store, must-revalidate"); // HTTP 1.1. header("Pragma: no-cache"); // HTTP 1.0. header("Expires: 0"); // Proxies.


Though it shows the correct response headers but does not work. I have posted a similar Questions on stackoverflow.com but it seems that no one has any answer to this.

Stackoverflow Link: https://stackoverflow.com/questions/35842135/firefox-stores-cache-even-if-meta-tag-is-set-to-no-cache-no-store-must-revalid

Same settings work on chrome and other major browsers but does not work in firefox. On work offline mode, pages should not show up if I'm right.

Can you enlighten me on this as in what's really happening with Firefox? I am using Firefox version 44.0.2 on Windows 7 64-bit Platform.

Thanks

Hello Support, We require to prevent the firefox from storing our website's sensitive pages. We are in need of a SSL certificate and SSL company are seeing it as a security threat when the sensitive pages are being stored in cache and even after we turn off the internet the pages still show up. We have tried disabling the cache using server side code but nothing works. We tried HTML meta tags as below: <!-- Cache control --> <meta http-equiv="cache-control" content="max-age=0" /> <meta http-equiv="cache-control" content="no-cache, no-store, must-revalidate" /> <meta http-equiv="expires" content="0" /> <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /> <meta http-equiv="pragma" content="no-cache" /> Then tried with PHP, still didn't worked: header("Cache-Control: no-cache, no-store, must-revalidate"); // HTTP 1.1. header("Pragma: no-cache"); // HTTP 1.0. header("Expires: 0"); // Proxies. Though it shows the correct response headers but does not work. I have posted a similar Questions on stackoverflow.com but it seems that no one has any answer to this. Stackoverflow Link: https://stackoverflow.com/questions/35842135/firefox-stores-cache-even-if-meta-tag-is-set-to-no-cache-no-store-must-revalid Same settings work on chrome and other major browsers but does not work in firefox. On work offline mode, pages should not show up if I'm right. Can you enlighten me on this as in what's really happening with Firefox? I am using Firefox version 44.0.2 on Windows 7 64-bit Platform. Thanks

Modified by achoudhary

All Replies (6)

more options

I'm a little surprised, but if you need a workaround, you can use POST instead of GET to retrieve sensitive pages. Example:

https://jeffersonscher.com/res/nostore1.php

more options

Thanks for the reply Jscher.

I wonder if its possible through GET only as we the sensitive info we are displaying is dynamically generated to an HTML page. Now this HTML page is accessed through the web and we cannot check if its post request in HTML pages. Is there any way we can get it done on HTML pages through GET request?

Thanks

more options

Hopefully someone else can answer about GET requests.

About this:

achoudhary said

... the sensitive info we are displaying is dynamically generated to an HTML page. Now this HTML page is accessed through the web and we cannot check if its post request in HTML pages.

But you're not wedded to a static HTML page, right? You can use PHP, ASP.Net, or another scripting language to detect the request type of the main page and embed an anti-CSRF token that allows you to validate the source of the background request. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

more options

Yes We can do that. But the question remains the same. Is there a way to accomplish that on HTML pages?

Even if I turn-off the internet or unplug the internet cable still the webpages show up.

Weird it seems to me and SSL company. CTRL + f5 doesn't respond.

This might be a security threat as I can see. If there's some background trojan running offline and gathering the info and sends the bundled info gathered(during offline) when we're online.

Any ways, thanks for the support. So the solution that came out is that we cannot prevent firefox from storing cache through get request if the page is a simple HTML page and it will continue to show up even if the internet is not connected.

more options

This is not a developer support site, so don't take the lack of response to your question as "the answer."

Where to go for developer support