Add Clear-Site-Data header

This adds a Clear-Site-Data header to the logout response which will delete all relevant data in the caches which may contain potentially sensitive content. See https://w3c.github.io/webappsec-clear-site-data/#header for the definition of the types. Ref https://twitter.com/mikewest/status/877149667909406723 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
nextcloud · Jun 20, 2017 · 2f87fb6 · 2f87fb6
1 parent 60edf2f
commit 2f87fb6
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
@@ -107,7 +107,9 @@ public function logout() {
 		}
 		$this->userSession->logout();
 
-		return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));
+		$response = new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));
+		$response->addHeader('Clear-Site-Data', '"cache", "cookies", "storage", "executionContexts"');
+		return $response;
 	}
 
 	/**

diff --git a/tests/Core/Controller/LoginControllerTest.php b/tests/Core/Controller/LoginControllerTest.php
@@ -95,6 +95,7 @@ public function testLogoutWithoutToken() {
 			->willReturn('/login');
 
 		$expected = new RedirectResponse('/login');
+		$expected->addHeader('Clear-Site-Data', '"cache", "cookies", "storage", "executionContexts"');
 		$this->assertEquals($expected, $this->loginController->logout());
 	}
 
@@ -124,6 +125,7 @@ public function testLogoutWithToken() {
 			->willReturn('/login');
 
 		$expected = new RedirectResponse('/login');
+		$expected->addHeader('Clear-Site-Data', '"cache", "cookies", "storage", "executionContexts"');
 		$this->assertEquals($expected, $this->loginController->logout());
 	}