Security Fix browser loading cached page when page full reload (F5) +…

… logout + Back button
francoisjacquet · Apr 9, 2023 · 6433946 · 6433946
1 parent cbb9886
commit 6433946
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 18 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -10,14 +10,17 @@ Changes in 11.0
 - Translate "Zip" & "Zipcode" to "Zip Code" in GetStuList.fnc.php, MyReport.php, Registration.fnc.php, Schools.php & Address.inc.php
 - HTML Text input min size is 2 in Inputs.php
 
+Changes in 10.9.3
+-----------------
+- Security Fix browser loading cached page when page full reload (F5) + logout + Back button in warehouse.js, thanks to @b1tch3s
+
 Changes in 10.9.2
 -----------------
 - Fix Format Contact Field value based on its Type in ViewContact.php
 - Fix regression add Contact Info columns to list in MyReport.php
 - ETag + Cache-Control header: use no-cache directive in Warehouse.php
 - Set `$_SESSION['is_secondary_teacher']` in SetUserCoursePeriod() in Current.php
 - Fix Set current User Course Period before Secondary Teacher logic in TakeAttendance.php, AnomalousGrades.php, Assignments.php, Grades.php, InputFinalGrades.php & ProgressReports.php
-- Security Fix browser loading cached page when page full reload (F5) + logout + Back button in warehouse.js, thanks to @b1tch3s
 
 Changes in 10.9.1
 -----------------

diff --git a/assets/js/plugins.min.js b/assets/js/plugins.min.js
diff --git a/assets/js/plugins.min.js.map b/assets/js/plugins.min.js.map
diff --git a/assets/js/warehouse.js b/assets/js/warehouse.js
@@ -497,27 +497,31 @@ var ajaxPopState = function() {
  * @link https://stackoverflow.com/questions/17432899/javascript-bfcache-pageshow-event-event-persisted-always-set-to-false
  * @link https://huntr.dev/bounties/efe6ef47-d17c-4773-933a-4836c32db85c/
  */
-if (window.performance && (performance.navigation.type == 2
-	|| (performance.getEntriesByType
-		&& performance.getEntriesByType("navigation")[0]
-		&& performance.getEntriesByType("navigation")[0].type === 'back_forward'))) {
-	location.reload();
-}
+function browserHistoryCacheBuster(event) {
+	if (location.href.indexOf('Modules.php?') === -1) {
+		// Current page is not Modules.php, no login required, skip.
+		return;
+	}
 
-window.onpageshow=function(event) {
-	/**
-	 * Same as above for Safari (does not execute Javascript on history back)
-	 * persisted indicates if the document is loading from a cache (not reliable)
-	 *
-	 * @link https://web.dev/bfcache/
-	 */
-	if (event.persisted
+	// persisted indicates if the document is loading from a cache (not reliable)
+	if ((event && event.persisted)
 		|| window.performance && (performance.navigation.type == 2
 			|| (performance.getEntriesByType
 				&& performance.getEntriesByType("navigation")[0]
 				&& performance.getEntriesByType("navigation")[0].type === 'back_forward'))) {
 		location.reload();
 	}
+}
+
+browserHistoryCacheBuster();
+
+/**
+ * onpageshow: Same as above for Safari (does not execute Javascript on history back)
+ *
+ * @link https://web.dev/bfcache/
+ */
+window.onpageshow=function(event) {
+	browserHistoryCacheBuster(event);
 };
 
 // onunload: Fix for Firefox to execute Javascript on history back.