refactor: add cache-control header in the polling response

darrachequesne · darrachequesne · commit 9545b44b3ccc · 2023-10-05T17:19:08.000+02:00
This header should not be needed since the client already includes a cache busting query parameter ("t"), but a misconfigured CDN could ignore the query parameters and cache the server response. Related: socketio/socket.io#4842
diff --git a/lib/transports-uws/polling.ts b/lib/transports-uws/polling.ts
@@ -423,6 +423,8 @@ export class Polling extends Transport {
       headers["X-XSS-Protection"] = "0";
     }
 
+    headers["cache-control"] = "no-store";
+
     this.emit("headers", headers, req);
     return headers;
   }
diff --git a/lib/transports/polling.ts b/lib/transports/polling.ts
@@ -392,6 +392,8 @@ export class Polling extends Transport {
       headers["X-XSS-Protection"] = "0";
     }
 
+    headers["cache-control"] = "no-store";
+
     this.emit("headers", headers, req);
     return headers;
   }
diff --git a/test/server.js b/test/server.js
@@ -3443,13 +3443,12 @@ describe("server", () => {
   });
 
   describe("response headers", () => {
-    function testForHeaders(headers, done) {
+    function testForHeaders(headers, callback) {
       const engine = listen((port) => {
         engine.on("connection", (conn) => {
           conn.transport.once("headers", (headers) => {
-            expect(headers["X-XSS-Protection"]).to.be("0");
+            callback(headers);
             conn.close();
-            done();
           });
           conn.send("hi");
         });
@@ -3465,15 +3464,28 @@ describe("server", () => {
         "user-agent":
           "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)",
       };
-      testForHeaders(headers, done);
+      testForHeaders(headers, (headers) => {
+        expect(headers["X-XSS-Protection"]).to.be("0");
+        done();
+      });
     });
 
     it("should contain X-XSS-Protection: 0 for IE11", (done) => {
       const headers = {
         "user-agent":
           "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
       };
-      testForHeaders(headers, done);
+      testForHeaders(headers, (headers) => {
+        expect(headers["X-XSS-Protection"]).to.be("0");
+        done();
+      });
+    });
+
+    it("should include a 'cache-control' header", (done) => {
+      testForHeaders({}, (headers) => {
+        expect(headers["cache-control"]).to.be("no-store");
+        done();
+      });
     });
 
     it("should emit a 'initial_headers' event (polling)", (done) => {

Original file line number	Diff line number	Diff line change
`@@ -423,6 +423,8 @@ export class Polling extends Transport {`
`423`	`423`	`headers["X-XSS-Protection"] = "0";`
`424`	`424`	`}`
`425`	`425`
	`426`	`+ headers["cache-control"] = "no-store";`
	`427`	`+`
`426`	`428`	`this.emit("headers", headers, req);`
`427`	`429`	`return headers;`
`428`	`430`	`}`
Original file line number	Diff line number	Diff line change
`@@ -392,6 +392,8 @@ export class Polling extends Transport {`
`392`	`392`	`headers["X-XSS-Protection"] = "0";`
`393`	`393`	`}`
`394`	`394`
	`395`	`+ headers["cache-control"] = "no-store";`
	`396`	`+`
`395`	`397`	`this.emit("headers", headers, req);`
`396`	`398`	`return headers;`
`397`	`399`	`}`