[Rt-commit] rt branch 5.0/strict-browser-security created. rt-5.0.5-95-g4f3311bbc1

BPS Git Server git at git.bestpractical.com
Mon Dec 18 21:27:55 UTC 2023 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 5.0/strict-browser-security has been created
        at  4f3311bbc1869ebd4f0d6dd93e69636e407f2e3d (commit)

- Log -----------------------------------------------------------------
commit 4f3311bbc1869ebd4f0d6dd93e69636e407f2e3d
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Mon Dec 18 16:01:06 2023 -0500

    Add $WebStrictBrowserCache option to disable browser cache
    
    RT systems that store sensitive data may want to disable all
    browser cache and back button behavior. This option enables
    that and moves these headers to a separate Mason template
    for easy override.

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 6433198a36..39b4e296f6 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1573,6 +1573,20 @@ off I<unless> user connections to RT are secured by some other method.
 
 Set($WebSecureCookies, 1);
 
+=item C<$WebStrictBrowserCache>
+
+As part of normal operation, browsers typically store some browsing
+history, enabling the Back button to work. Browsers also often
+cache pages in the browsing history to improve performance.
+
+Enable this option if you are using RT with highly ssensitive
+information and want to signal the browser to not store any history
+or cache any data. The default is disabled.
+
+=cut
+
+Set($WebStrictBrowserCache, 0);
+
 =item C<$WebHttpOnlyCookies>
 
 Default RT's session cookie to not being directly accessible to
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 04fbe3dcd5..5a7edccc35 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1889,6 +1889,9 @@ our %META;
     WebSecureCookies => {
         Widget => '/Widgets/Form/Boolean',
     },
+    WebStrictBrowserCache => {
+        Widget => '/Widgets/Form/Boolean',
+    },
     WikiImplicitLinks => {
         Widget => '/Widgets/Form/Boolean',
     },
diff --git a/share/html/Elements/Header b/share/html/Elements/Header
index 14be9196af..6dc9396461 100644
--- a/share/html/Elements/Header
+++ b/share/html/Elements/Header
@@ -123,8 +123,7 @@ $lang = $session{'CurrentUser'}->LanguageHandle->language_tag
      && $session{'CurrentUser'}->LanguageHandle
      && $session{'CurrentUser'}->LanguageHandle->language_tag;
 
-$r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
+$m->comp('/Elements/HttpResponseHeaders');
 
 my $id = $m->request_comp->path;
 $id =~ s|^/||g;
diff --git a/share/html/m/_elements/header b/share/html/Elements/HttpResponseHeaders
similarity index 71%
copy from share/html/m/_elements/header
copy to share/html/Elements/HttpResponseHeaders
index fbf873c61f..b1c635b8d5 100644
--- a/share/html/m/_elements/header
+++ b/share/html/Elements/HttpResponseHeaders
@@ -45,30 +45,23 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-<%args>
-$title => loc('RT for [_1]', RT->Config->Get('rtname'))
-$show_home_button => 1
-</%args>
-<%init>
+<%INIT>
+if ( RT->Config->Get('WebStrictBrowserCache') ) {
+
+    # Instruct the browser not to cache content
+    $r->headers_out->{'Cache-control'} = 'no-cache, no-store, must-revalidate, max-age=0, s-maxage=0';
+
+    my $expires = RT::Date->new(RT->SystemUser);
+    $expires->SetToNow;
+    # Make sure it's in the past to allow no cache
+    $expires->AddSeconds(-10);
+    $r->headers_out->{'Expires'} = $expires->RFC2616;
+}
+else {
+    $r->headers_out->{'Cache-control'} = 'no-cache';
+}
+
 $r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
-</%init>
-<html>
-<head>
-<link rel="stylesheet" type="text/css" href="<%RT->Config->Get('WebPath')%>/static/css/mobile.css"/>
-<title><%$title%></title>
-% my ($jquery) = grep { /^jquery-\d+\./ } RT::Interface::Web->JSFiles;
-<script src="<% RT->Config->Get('WebPath') %>/static/js/<% $jquery %>"></script>
-<meta name="viewport" content="width=device-width height=device-height user-scalable=yes"/>
-<& /Elements/Framekiller &>
-</head>
-<body>
-% if ($show_home_button) {
-% # The align is for older browsers, like the blackberry
-<div id="gohome" align="right">
-<a href="<%RT->Config->Get('WebPath')%>/m/"><&|/l&>Homepage</&></a>
-</div>
-% }
-% if ($title) {
-<h1><%$title%></h1>
-% }
+
+$m->callback( %ARGS, CallbackName => 'End' );
+</%INIT>
diff --git a/share/html/m/_elements/header b/share/html/m/_elements/header
index fbf873c61f..e82459e578 100644
--- a/share/html/m/_elements/header
+++ b/share/html/m/_elements/header
@@ -50,8 +50,7 @@ $title => loc('RT for [_1]', RT->Config->Get('rtname'))
 $show_home_button => 1
 </%args>
 <%init>
-$r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
+$m->comp('/Elements/HttpResponseHeaders');
 </%init>
 <html>
 <head>

-----------------------------------------------------------------------


hooks/post-receive
-- 
rt

More information about the rt-commit mailing list