Skip to content

Release 2556

Choose a tag to compare

View all tags
@github-actions github-actions released this 23 Jun 14:12
2556
4d05494
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Trello card

Trello-615

Context

There is an issue with CSRF tokens and mobile Safari whereby the page can be reloaded from the store/cache and submitted after the session has been cleared (resulting in an InvalidAuthenticityToken error). It's not enough to specify max-age=0; we need to tell Safari to not store the page at all with no-store, no-cache to ensure the page is always retrieved from the server and has a valid CSRF token.

Changes proposed in this pull request

  • Prevent InvalidAuthenticityToken errors in Safari

Guidance to review

Given we were specifying max-age=0 anyway this should have a negligible impact on performance; the 'back' function of browsers may load a preview from the cache/store and will now re-request it from the server, but I think that's about the only difference. On checking the Cache-Control headers I'm only seeing no-store even though no-cache is also specified, but I think it may be optimised out as no-store covers no-cache; leaving it in as per the recommendation in the GitHub issue though.

Assets 2
Loading