User tests: Successful: Unsuccessful:
Pull Request due to this tweet: https://twitter.com/mikewest/status/817391771508502529
Add Clear-Site-Data
to the array of $singleValueResponseHeaders
in libraries/joomla/application/web.php
Info about Clear-Site-Data: https://w3c.github.io/webappsec-clear-site-data/
Use https on your localhost!!!
Use latest chrome (the only browser that supports it right now, in experimental mode)
Enable experimental mode: chrome://flags/#enable-experimental-web-platform-features
Edit administrator/components/com_login/controller.php
and paste after line 111:
// https://w3c.github.io/webappsec-clear-site-data/
JFactory::getApplication()->setHeader('Clear-Site-Data', '{"types": ["cache", "storage"]}');
$app->sendHeaders();
Login logout in administrator area
observe the headers:
Status | New | ⇒ | Pending |
Category | ⇒ | Libraries |
As far as I'm concerned it can go into 3.7.3 if tested/reviewed.
A shorter (and older) descrption is here:
https://www.chromestatus.com/feature/4713262029471744
Quoting
A ‘Clear-Site-Data’ HTTP header prompts the user agent to clear browsing data associated with the requesting website. The supported browsing data types are cookies, storage (i.e. “site data”), and cache. This is a privacy and security enhancing feature. A sensitive website can trigger local data deletion after the user signs out. A website dealing with a persistent XSS attack can use this to ‘reset’ itself to a clean state.
I have tested this item
Status | Pending | ⇒ | Ready to Commit |
RTC after two successful tests.
Status | Ready to Commit | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-06-06 19:01:45 |
Closed_By | ⇒ | rdeutz | |
Labels |
Added:
?
|
I have tested this item✅ successfully on e96101c
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13497.