[Rt-commit] rt branch 5.0/strict-browser-security created. rt-5.0.5-95-gba85d931a1

BPS Git Server git at git.bestpractical.com
Mon Dec 18 21:33:50 UTC 2023 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 5.0/strict-browser-security has been created
        at  ba85d931a1658639273ea8dcb8073ce6cf734c67 (commit)

- Log -----------------------------------------------------------------
commit ba85d931a1658639273ea8dcb8073ce6cf734c67
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Mon Dec 18 16:01:06 2023 -0500

    Add $WebStrictBrowserCache option to disable browser cache
    
    RT systems that store sensitive data may want to disable all
    browser cache and back button behavior. This option enables
    that and moves these headers to a separate Mason template
    for easy override.
    
    See: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 6433198a36..39b4e296f6 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1573,6 +1573,20 @@ off I<unless> user connections to RT are secured by some other method.
 
 Set($WebSecureCookies, 1);
 
+=item C<$WebStrictBrowserCache>
+
+As part of normal operation, browsers typically store some browsing
+history, enabling the Back button to work. Browsers also often
+cache pages in the browsing history to improve performance.
+
+Enable this option if you are using RT with highly ssensitive
+information and want to signal the browser to not store any history
+or cache any data. The default is disabled.
+
+=cut
+
+Set($WebStrictBrowserCache, 0);
+
 =item C<$WebHttpOnlyCookies>
 
 Default RT's session cookie to not being directly accessible to
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 04fbe3dcd5..5a7edccc35 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1889,6 +1889,9 @@ our %META;
     WebSecureCookies => {
         Widget => '/Widgets/Form/Boolean',
     },
+    WebStrictBrowserCache => {
+        Widget => '/Widgets/Form/Boolean',
+    },
     WikiImplicitLinks => {
         Widget => '/Widgets/Form/Boolean',
     },
diff --git a/share/html/Elements/Header b/share/html/Elements/Header
index 14be9196af..6dc9396461 100644
--- a/share/html/Elements/Header
+++ b/share/html/Elements/Header
@@ -123,8 +123,7 @@ $lang = $session{'CurrentUser'}->LanguageHandle->language_tag
      && $session{'CurrentUser'}->LanguageHandle
      && $session{'CurrentUser'}->LanguageHandle->language_tag;
 
-$r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
+$m->comp('/Elements/HttpResponseHeaders');
 
 my $id = $m->request_comp->path;
 $id =~ s|^/||g;
diff --git a/share/html/m/_elements/header b/share/html/Elements/HttpResponseHeaders
similarity index 71%
copy from share/html/m/_elements/header
copy to share/html/Elements/HttpResponseHeaders
index fbf873c61f..b1c635b8d5 100644
--- a/share/html/m/_elements/header
+++ b/share/html/Elements/HttpResponseHeaders
@@ -45,30 +45,23 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-<%args>
-$title => loc('RT for [_1]', RT->Config->Get('rtname'))
-$show_home_button => 1
-</%args>
-<%init>
+<%INIT>
+if ( RT->Config->Get('WebStrictBrowserCache') ) {
+
+    # Instruct the browser not to cache content
+    $r->headers_out->{'Cache-control'} = 'no-cache, no-store, must-revalidate, max-age=0, s-maxage=0';
+
+    my $expires = RT::Date->new(RT->SystemUser);
+    $expires->SetToNow;
+    # Make sure it's in the past to allow no cache
+    $expires->AddSeconds(-10);
+    $r->headers_out->{'Expires'} = $expires->RFC2616;
+}
+else {
+    $r->headers_out->{'Cache-control'} = 'no-cache';
+}
+
 $r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
-</%init>
-<html>
-<head>
-<link rel="stylesheet" type="text/css" href="<%RT->Config->Get('WebPath')%>/static/css/mobile.css"/>
-<title><%$title%></title>
-% my ($jquery) = grep { /^jquery-\d+\./ } RT::Interface::Web->JSFiles;
-<script src="<% RT->Config->Get('WebPath') %>/static/js/<% $jquery %>"></script>
-<meta name="viewport" content="width=device-width height=device-height user-scalable=yes"/>
-<& /Elements/Framekiller &>
-</head>
-<body>
-% if ($show_home_button) {
-% # The align is for older browsers, like the blackberry
-<div id="gohome" align="right">
-<a href="<%RT->Config->Get('WebPath')%>/m/"><&|/l&>Homepage</&></a>
-</div>
-% }
-% if ($title) {
-<h1><%$title%></h1>
-% }
+
+$m->callback( %ARGS, CallbackName => 'End' );
+</%INIT>
diff --git a/share/html/m/_elements/header b/share/html/m/_elements/header
index fbf873c61f..e82459e578 100644
--- a/share/html/m/_elements/header
+++ b/share/html/m/_elements/header
@@ -50,8 +50,7 @@ $title => loc('RT for [_1]', RT->Config->Get('rtname'))
 $show_home_button => 1
 </%args>
 <%init>
-$r->headers_out->{'Pragma'} = 'no-cache';
-$r->headers_out->{'Cache-control'} = 'no-cache';
+$m->comp('/Elements/HttpResponseHeaders');
 </%init>
 <html>
 <head>

-----------------------------------------------------------------------


hooks/post-receive
-- 
rt

More information about the rt-commit mailing list