http-cache: do not cache responses from requests with authorization

servo · Jun 20, 2019 · 67494d4 · 67494d4
1 parent 049817c
commit 67494d4
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/components/net/http_cache.rs b/components/net/http_cache.rs
@@ -802,6 +802,15 @@ impl HttpCache {
             // Only Get requests are cached.
             return;
         }
+        if request.headers.contains_key(header::AUTHORIZATION) {
+            // https://tools.ietf.org/html/rfc7234#section-3.1
+            // A shared cache MUST NOT use a cached response
+            // to a request with an Authorization header field
+            //
+            // TODO: unless a cache directive that allows such
+            // responses to be stored is present in the response.
+            return;
+        };
         let entry_key = CacheKey::new(request.clone());
         let metadata = match response.metadata() {
             Ok(FetchMetadata::Filtered {