[1859] in WWW Security List Archive
Re: how do I keep a browser from caching files
daemon@ATHENA.MIT.EDU (David W. Morris)
Sun Apr 21 18:27:33 1996
Date: Sun, 21 Apr 1996 12:37:57 -0700 (PDT)
From: "David W. Morris" <dwm@shell.portal.com>
To: Will Day <willday@rom.oit.gatech.edu>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199604200431.AAA25280@rom.oit.gatech.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Sat, 20 Apr 1996, Will Day wrote:
> A short time ago, at a computer terminal far, far away, Daryl Hawes wrote:
> > My department is trying to run a program that will allow users to
> >access sensitive data. We have the security/password part down, but
> >most of the accesses will come fromunsecure lab room machines. DOes
> >anyone know of a way, an HTML tag, a meta tag, or something that will
> >instruct our university's Netscape 2.0 or better browsers not to cache
> >the resulting files, so that if a user walks away from a machine
> >someone else cannot come along and use the "back" button to view their
> >information?
>
> Would this work:
> <HEAD>
> <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
> </HEAD
There is no requirement for either the server or the browser to process and
honor <meta> data. THus, this will contribute to an assured solution.
As an idividual, you can set your disk cache to 0 and reasonably expect that
if you close your browser nothing will remain. You could also configure your
server to not serve such data to lab machines. I am aware of a bank which
sends what it considers sensitive data as error responses (HTTP status
!=200). Browsers tend not to cache or keep in the history buffer such
data but it is an ugly human interface and may result in unexpected repeated
network requests, etc.
As someone else noted, there is no way to absolutely insure a particular
browser behavior and worse yet there is nothing in the protocols to
specify this particular behavior.
Dave Morris
