refactor: add cache-control header in the polling response

This header should not be needed since the client already includes a cache busting query parameter ("t"), but a misconfigured CDN could ignore the query parameters and cache the server response. Related: socketio/socket.io#4842
socketio · Oct 5, 2023 · 9545b44 · 9545b44
1 parent ff1c861
commit 9545b44
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 5 deletions.
diff --git a/lib/transports-uws/polling.ts b/lib/transports-uws/polling.ts
@@ -423,6 +423,8 @@ export class Polling extends Transport {
       headers["X-XSS-Protection"] = "0";
     }
 
+    headers["cache-control"] = "no-store";
+
     this.emit("headers", headers, req);
     return headers;
   }

diff --git a/lib/transports/polling.ts b/lib/transports/polling.ts
@@ -392,6 +392,8 @@ export class Polling extends Transport {
       headers["X-XSS-Protection"] = "0";
     }
 
+    headers["cache-control"] = "no-store";
+
     this.emit("headers", headers, req);
     return headers;
   }

diff --git a/test/server.js b/test/server.js
@@ -3443,13 +3443,12 @@ describe("server", () => {
   });
 
   describe("response headers", () => {
-    function testForHeaders(headers, done) {
+    function testForHeaders(headers, callback) {
       const engine = listen((port) => {
         engine.on("connection", (conn) => {
           conn.transport.once("headers", (headers) => {
-            expect(headers["X-XSS-Protection"]).to.be("0");
+            callback(headers);
             conn.close();
-            done();
           });
           conn.send("hi");
         });
@@ -3465,15 +3464,28 @@ describe("server", () => {
         "user-agent":
           "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)",
       };
-      testForHeaders(headers, done);
+      testForHeaders(headers, (headers) => {
+        expect(headers["X-XSS-Protection"]).to.be("0");
+        done();
+      });
     });
 
     it("should contain X-XSS-Protection: 0 for IE11", (done) => {
       const headers = {
         "user-agent":
           "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
       };
-      testForHeaders(headers, done);
+      testForHeaders(headers, (headers) => {
+        expect(headers["X-XSS-Protection"]).to.be("0");
+        done();
+      });
+    });
+
+    it("should include a 'cache-control' header", (done) => {
+      testForHeaders({}, (headers) => {
+        expect(headers["cache-control"]).to.be("no-store");
+        done();
+      });
     });
 
     it("should emit a 'initial_headers' event (polling)", (done) => {