Same-Origin Policy Research

Visit: here

HTTPS Caching Test Page

Jacob Thompson
Independent Security Evaluators

There are multiple ways to instruct that a web browser not write a web page to its disk cache. The method specified in the HTTP 1.1 standard (RFC 2616) is the response header Cache-Control: no-store. In addition to this, some web browsers interpret other, non-standard headers as an indication that a page should not be disk cached, while others refuse to disk cache pages just based on the fact that they were sent over HTTPS. For full details about current and historical behavior, as well as additional information about caching of HTTPS data in general, and additional references, see my white paper, Industry-wide Misunderstandings of HTTPS and DEF CON talk C.R.E.A.M. Cache Rules Evidently Ambiguous, Misunderstood.

This page uses iframe tags to load HTML documents using various combinations of HTTP response headers and HTML meta http-equiv tags. After visiting this page and closing your web browser, you can check your browser disk cache to determine which (if any) of the HTML files from this site were stored in it. First, you may want to clear your disk cache, to reduce the amount of information you must look through and the amount of time it takes to display the information in it (Firefox is particularly slow in displaying the disk cache entries). Then, after reloading this page, you can check your disk cache to see which pages are stored in it. The pages loaded in the iframes are given file names indicating which response headers or meta tags are used.

Clearing the Disk Cache

Viewing Disk Cache Entries

Example Results

Test Pages

These pages are intended to be cached

These pages use methods that successfully prevent caching in at least one browser

These pages use methods that fail to prevent caching in any browser