Merge pull request #39 from 2manymws/ignore-set-cookie

Does not store responses with Set-Cookie headers by default, similar to NGINX
2manymws · Dec 20, 2023 · 337bbda · 337bbda
2 parents 45b3316 + c738736
commit 337bbda
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/rfc9111/shared.go b/rfc9111/shared.go
@@ -15,6 +15,7 @@ type Shared struct {
 	understoodStatusCodes             []int
 	heuristicallyCacheableStatusCodes []int
 	heuristicExpirationRatio          float64
+	storeRequestWithSetCookieHeader   bool
 	extendedRules                     []ExtendedRule
 }
 
@@ -65,6 +66,14 @@ func HeuristicExpirationRatio(ratio float64) SharedOption {
 	}
 }
 
+// StoreRequestWithSetCookieHeader enables storing request with Set-Cookie header.
+func StoreRequestWithSetCookieHeader() SharedOption {
+	return func(s *Shared) error {
+		s.storeRequestWithSetCookieHeader = true
+		return nil
+	}
+}
+
 // ExtendedRules sets the extended rules.
 func ExtendedRules(rules []ExtendedRule) SharedOption {
 	return func(s *Shared) error {
@@ -144,6 +153,13 @@ func (s *Shared) Storable(req *http.Request, res *http.Response, now time.Time)
 		return false, time.Time{}
 	}
 
+	// In RFC 9111, Servers that wish to control caching of responses with Set-Cookie headers are encouraged to emit appropriate Cache-Control response header fields (see https://httpwg.org/specs/rfc9111.html#rfc.section.7.3).
+	// But to beat on the safe side, this package does not store responses with Set-Cookie headers by default, similar to NGINX.
+	// THIS IS NOT RFC 9111.
+	if req.Header.Get("Set-Cookie") != "" && !s.storeRequestWithSetCookieHeader {
+		return false, time.Time{}
+	}
+
 	expires := CalclateExpires(rescc, res.Header, s.heuristicExpirationRatio, now)
 	if expires.Sub(now) <= 0 {
 		if expires.Sub(time.Time{}) == 0 {

diff --git a/rfc9111/shared_test.go b/rfc9111/shared_test.go
@@ -301,6 +301,24 @@ func TestShared_Storable(t *testing.T) {
 			false,
 			time.Time{},
 		},
+		{
+			"GET Set-Cookie: k=v 200 Cache-Control: max-age=15 -> No Store",
+			&http.Request{
+				Method: http.MethodGet,
+				Header: http.Header{
+					"Set-Cookie": []string{"k=v"},
+				},
+			},
+			&http.Response{
+				StatusCode: http.StatusOK,
+				Header: http.Header{
+					"Cache-Control": []string{"max-age=15"},
+				},
+			},
+			nil,
+			false,
+			time.Time{},
+		},
 		{
 			"ExtendedRule(+15s) GET 200 -> +15s",
 			&http.Request{