From 9545b44b3cccc1e2ff51c126d0d759571e22b3a6 Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Thu, 5 Oct 2023 17:14:09 +0200 Subject: [PATCH] refactor: add cache-control header in the polling response This header should not be needed since the client already includes a cache busting query parameter ("t"), but a misconfigured CDN could ignore the query parameters and cache the server response. Related: https://github.com/socketio/socket.io/issues/4842 --- lib/transports-uws/polling.ts | 2 ++ lib/transports/polling.ts | 2 ++ test/server.js | 22 +++++++++++++++++----- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/lib/transports-uws/polling.ts b/lib/transports-uws/polling.ts index ce503a8a..4ce6e52f 100644 --- a/lib/transports-uws/polling.ts +++ b/lib/transports-uws/polling.ts @@ -423,6 +423,8 @@ export class Polling extends Transport { headers["X-XSS-Protection"] = "0"; } + headers["cache-control"] = "no-store"; + this.emit("headers", headers, req); return headers; } diff --git a/lib/transports/polling.ts b/lib/transports/polling.ts index 70be3411..f0edcdc8 100644 --- a/lib/transports/polling.ts +++ b/lib/transports/polling.ts @@ -392,6 +392,8 @@ export class Polling extends Transport { headers["X-XSS-Protection"] = "0"; } + headers["cache-control"] = "no-store"; + this.emit("headers", headers, req); return headers; } diff --git a/test/server.js b/test/server.js index fa0ab9c0..a373837e 100644 --- a/test/server.js +++ b/test/server.js @@ -3443,13 +3443,12 @@ describe("server", () => { }); describe("response headers", () => { - function testForHeaders(headers, done) { + function testForHeaders(headers, callback) { const engine = listen((port) => { engine.on("connection", (conn) => { conn.transport.once("headers", (headers) => { - expect(headers["X-XSS-Protection"]).to.be("0"); + callback(headers); conn.close(); - done(); }); conn.send("hi"); }); @@ -3465,7 +3464,10 @@ describe("server", () => { "user-agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)", }; - testForHeaders(headers, done); + testForHeaders(headers, (headers) => { + expect(headers["X-XSS-Protection"]).to.be("0"); + done(); + }); }); it("should contain X-XSS-Protection: 0 for IE11", (done) => { @@ -3473,7 +3475,17 @@ describe("server", () => { "user-agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko", }; - testForHeaders(headers, done); + testForHeaders(headers, (headers) => { + expect(headers["X-XSS-Protection"]).to.be("0"); + done(); + }); + }); + + it("should include a 'cache-control' header", (done) => { + testForHeaders({}, (headers) => { + expect(headers["cache-control"]).to.be("no-store"); + done(); + }); }); it("should emit a 'initial_headers' event (polling)", (done) => {