? Pending

User tests: Successful: Unsuccessful:

avatar dgt41
dgt41
6 Jan 2017

Pull Request due to this tweet: https://twitter.com/mikewest/status/817391771508502529

Summary of Changes

Add Clear-Site-Data to the array of $singleValueResponseHeaders in libraries/joomla/application/web.php

Info about Clear-Site-Data: https://w3c.github.io/webappsec-clear-site-data/

Testing Instructions

Use https on your localhost!!!
Use latest chrome (the only browser that supports it right now, in experimental mode)
Enable experimental mode: chrome://flags/#enable-experimental-web-platform-features

Edit administrator/components/com_login/controller.php
and paste after line 111:

		// https://w3c.github.io/webappsec-clear-site-data/
		JFactory::getApplication()->setHeader('Clear-Site-Data', '{"types": ["cache", "storage"]}');
		$app->sendHeaders();

Login logout in administrator area
observe the headers:
screen shot 2017-01-06 at 21 05 21

Documentation Changes Required


This change is Reviewable

e96101c 6 Jan 2017 avatar dgt41 init
avatar dgt41 dgt41 - open - 6 Jan 2017
avatar dgt41 dgt41 - change - 6 Jan 2017
Status New Pending
avatar dgt41 dgt41 - change - 6 Jan 2017
The description was changed
avatar dgt41 dgt41 - edited - 6 Jan 2017
avatar joomla-cms-bot joomla-cms-bot - change - 6 Jan 2017
Category Libraries
avatar dgt41 dgt41 - change - 6 Jan 2017
The description was changed
avatar dgt41 dgt41 - edited - 6 Jan 2017
avatar 810
810 - comment - 6 Jan 2017

I have tested this item successfully on e96101c


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13497.

avatar 810 810 - test_item - 6 Jan 2017 - Tested successfully
avatar dgt41
dgt41 - comment - 24 May 2017

@mbabker any chance to get this in 3.8 or should I rebase it to J4 / close it ?

avatar mbabker
mbabker - comment - 24 May 2017

As far as I'm concerned it can go into 3.7.3 if tested/reviewed.

avatar ggppdk
ggppdk - comment - 27 May 2017

A shorter (and older) descrption is here:
https://www.chromestatus.com/feature/4713262029471744

Quoting

A ‘Clear-Site-Data’ HTTP header prompts the user agent to clear browsing data associated with the requesting website. The supported browsing data types are cookies, storage (i.e. “site data”), and cache. This is a privacy and security enhancing feature. A sensitive website can trigger local data deletion after the user signs out. A website dealing with a persistent XSS attack can use this to ‘reset’ itself to a clean state.

avatar ggppdk
ggppdk - comment - 27 May 2017

I have tested this item successfully on e96101c


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13497.

avatar ggppdk ggppdk - test_item - 27 May 2017 - Tested successfully
avatar franz-wohlkoenig franz-wohlkoenig - change - 27 May 2017
Status Pending Ready to Commit
avatar franz-wohlkoenig
franz-wohlkoenig - comment - 27 May 2017

RTC after two successful tests.

avatar rdeutz rdeutz - change - 6 Jun 2017
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2017-06-06 19:01:45
Closed_By rdeutz
Labels Added: ?
avatar rdeutz rdeutz - close - 6 Jun 2017
avatar rdeutz rdeutz - merge - 6 Jun 2017

Add a Comment

Login with GitHub to post a comment