diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2010-10-20 21:49:29 -0700 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2010-10-20 21:49:29 -0700 |
| commit | 2a57d2bea6fea2c9302e9b64a6385140e7b3fc78 (patch) | |
| tree | 967fc6e48e855c65b6727f788451bfda0f53803e | |
| parent | 4cb6cae320bcba3cf595db2b3676b60a449b33c0 (diff) | |
| download | DotNetOpenAuth-2a57d2bea6fea2c9302e9b64a6385140e7b3fc78.zip DotNetOpenAuth-2a57d2bea6fea2c9302e9b64a6385140e7b3fc78.tar.gz DotNetOpenAuth-2a57d2bea6fea2c9302e9b64a6385140e7b3fc78.tar.bz2 | |
Added no-cache headers to all outgoing response messages.
| -rw-r--r-- | src/DotNetOpenAuth/Messaging/Channel.cs | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/DotNetOpenAuth/Messaging/Channel.cs b/src/DotNetOpenAuth/Messaging/Channel.cs index 3d56f02..aac0dd9 100644 --- a/src/DotNetOpenAuth/Messaging/Channel.cs +++ b/src/DotNetOpenAuth/Messaging/Channel.cs @@ -275,7 +275,8 @@ namespace DotNetOpenAuth.Messaging { directedMessage.Recipient != null, "message", MessagingStrings.DirectedMessageMissingRecipient); - return this.PrepareIndirectResponse(directedMessage); + result = this.PrepareIndirectResponse(directedMessage); + break; default: throw ErrorUtilities.ThrowArgumentNamed( "message", @@ -283,6 +284,13 @@ namespace DotNetOpenAuth.Messaging { "Transport", message.Transport); } + + // Apply caching policy to any response. We want to disable all caching because in auth* protocols, + // caching can be utilized in identity spoofing attacks. + result.Headers[HttpResponseHeader.CacheControl] = "no-cache, no-store, max-age=0, must-revalidate"; + result.Headers[HttpResponseHeader.Pragma] = "no-cache"; + + return result; } /// <summary> |