Skip to content

Do not send Clear-Site-Data header to Chrome-like browsers #41204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
HLFH wants to merge 4 commits into from
Closed

Do not send Clear-Site-Data header to Chrome-like browsers #41204

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9643cb1
Do not send Clear-Site-Data to Chrome-like browsers
HLFH Oct 30, 2023
9bc6d9a
Do not send Clear-Site-Data to Chrome-like browsers - test
HLFH Oct 30, 2023
66ba1cd
Make sure Firefox doesn't use Clear-Site-Data header on unsupported s…
HLFH Nov 16, 2023
ec2d8e6
Update core/Controller/LoginController.php
nickvergessen Nov 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Do not send Clear-Site-Data to Chrome-like browsers 
Clear-Site-Data is broken on Chrome-like browsers.
https://bugs.chromium.org/p/chromium/issues/detail?id=1349087

Signed-off-by: Gaspard d'Hautefeuille <[email protected]>
  • Loading branch information
@HLFH @solracsf
HLFH authored and solracsf committed Dec 8, 2023
commit 9643cb13ee71a1f44d8e2e985b3b9582ca1fcb46
4 changes: 2 additions & 2 deletions core/Controller/LoginController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
*/
namespace OC\Core\Controller;

use OC\AppFramework\Http\Request;
use OC\Authentication\Login\Chain;
use OC\Authentication\Login\LoginData;
use OC\Authentication\WebAuthn\Manager as WebAuthnManager;
Expand Down Expand Up @@ -105,8 +106,7 @@ public function logout() {
$this->session->set('clearingExecutionContexts', '1');
$this->session->close();

if ($this->request->getServerProtocol() === 'https') {
// This feature is available only in secure contexts
if (!$this->request->isUserAgent([Request::USER_AGENT_CHROME, Request::USER_AGENT_ANDROID_MOBILE_CHROME])) {
Copy link
Member

@tcitworld tcitworld Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can keep both checks

Copy link
Contributor Author

@HLFH HLFH Nov 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only reverted to the former code that was working for Chrome-like browsers.
I fixed the regression and did not add any minor feature such as the HTTPS check.
This might be best to add the HTTPS check in an additional PR.

$response->addHeader('Clear-Site-Data', '"cache", "storage"');
}

Expand Down